+++ /dev/null
-
- The Wireshark FAQ
-
- Note: This is just an ASCII snapshot of the faq and may not be up to
- date. Please go to http://www.wireshark.org/faq.html for the up
- to date version. The version of this snapshot can be found at
- the end of this document.
-
- INDEX
-
-
- 1. General Questions:
-
- 1.1 What is Wireshark?
-
- 1.2 What's up with the name change? Is Wireshark a fork?
-
- 1.3 Where can I get help?
-
- 1.4 What kind of shark is Wireshark?
-
- 1.5 How is Wireshark pronounced, spelled and capitalized?
-
- 1.6 How much does Wireshark cost?
-
- 1.7 Can I use Wireshark commercially?
-
- 1.8 Can I use Wireshark as part of my commercial product?
-
- 1.9 What protocols are currently supported?
-
- 1.10 Are there any plans to support {your favorite protocol}?
-
- 1.11 Can Wireshark read capture files from {your favorite network
- analyzer}?
-
- 1.12 What devices can Wireshark use to capture packets?
-
- 1.13 Does Wireshark work on Windows Vista?
-
- 2. Downloading Wireshark:
-
- 2.1 Why do I get an error when I try to run the Win32 installer?
-
- 3. Installing Wireshark:
-
- 3.1 I installed the Wireshark RPM (or other package); why did it
- install TShark but not Wireshark?
-
- 4. Building Wireshark:
-
- 4.1 I have libpcap installed; why did the configure script not find
- pcap.h or bpf.h?
-
- 4.2 Why do I get the error
-
- dftest_DEPENDENCIES was already defined in condition TRUE, which
- implies condition HAVE_PLUGINS_TRUE
-
- when I try to build Wireshark from SVN or a SVN snapshot?
-
- 4.3 Why does the linker fail with a number of "Output line too long."
- messages followed by linker errors when I try to buil Wireshark?
-
- 4.4 When I try to build Wireshark on Solaris, why does the link fail
- complaining that plugin_list is undefined?
-
- 4.5 When I try to build Wireshark on Windows, why does the build fail
- because of conflicts between winsock.h and winsock2.h?
-
- 5. Starting Wireshark:
-
- 5.1 Why does Wireshark crash with a Bus Error when I try to run it on
- Solaris 8?
-
- 5.2 When I run Wireshark on Windows NT, why does it die with a Dr.
- Watson error, reporting an "Integer division by zero" exception, when I
- start it?
-
- 5.3 When I try to run Wireshark, why does it complain about
- sprint_realloc_objid being undefined?
-
- 5.4 I've installed Wireshark from Fink on Mac OS X; why is it very slow
- to start up?
-
- 6. Crashes and other fatal errors:
-
- 6.1 I have an XXX network card on my machine; if I try to capture on
- it, why does my machine crash or reset itself?
-
- 6.2 Why does my machine crash or reset itself when I select "Start"
- from the "Capture" menu or select "Preferences" from the "Edit" menu?
-
- 7. Capturing packets:
-
- 7.1 When I use Wireshark to capture packets, why do I see only packets
- to and from my machine, or not see all the traffic I'm expecting to see
- from or to the machine I'm trying to monitor?
-
- 7.2 When I capture with Wireshark, why can't I see any TCP packets
- other than packets to and from my machine, even though another analyzer
- on the network sees those packets?
-
- 7.3 Why am I only seeing ARP packets when I try to capture traffic?
-
- 7.4 Why am I not seeing any traffic when I try to capture traffic?
-
- 7.5 Can Wireshark capture on (my T1/E1 line, SS7 links, etc.)?
-
- 7.6 How do I put an interface into promiscuous mode?
-
- 7.7 I can set a display filter just fine; why don't capture filters
- work?
-
- 7.8 I'm entering valid capture filters; why do I still get "parse
- error" errors?
-
- 7.9 How can I capture packets with CRC errors?
-
- 7.10 How can I capture entire frames, including the FCS?
-
- 7.11 I'm capturing packets on a machine on a VLAN; why don't the
- packets I'm capturing have VLAN tags?
-
- 7.12 Why does Wireshark hang after I stop a capture?
-
- 8. Capturing packets on Windows:
-
- 8.1 I'm running Wireshark on Windows; why does some network interface
- on my machine not show up in the list of interfaces in the "Interface:"
- field in the dialog box popped up by "Capture->Start", and/or why does
- Wireshark give me an error if I try to capture on that interface?
-
- 8.2 I'm running Wireshark on Windows; why do no network interfaces show
- up in the list of interfaces in the "Interface:" field in the dialog
- box popped up by "Capture->Start"?
-
- 8.3 I'm running Wireshark on Windows; why doesn't my serial port/ADSL
- modem/ISDN modem show up in the list of interfaces in the "Interface:"
- field in the dialog box popped up by "Capture->Start"?
-
- 8.4 I'm running Wireshark on Windows NT 4.0/Windows 2000/Windows
- XP/Windows Server 2003; my machine has a PPP (dial-up POTS, ISDN, etc.)
- interface, and it shows up in the "Interface" item in the "Capture
- Options" dialog box. Why can no packets be sent on or received from
- that network while I'm trying to capture traffic on that interface?
-
- 8.5 I'm running Wireshark on Windows; why am I not seeing any traffic
- being sent by the machine running Wireshark?
-
- 8.6 When I capture on Windows in promiscuous mode, I can see packets
- other than those sent to or from my machine; however, those packets
- show up with a "Short Frame" indication, unlike packets to or from my
- machine. What should I do to arrange that I see those packets in their
- entirety?
-
- 8.7 I'm trying to capture 802.11 traffic on Windows; why am I not
- seeing any packets?
-
- 8.8 I'm trying to capture 802.11 traffic on Windows; why am I seeing
- packets received by the machine on which I'm capturing traffic, but not
- packets sent by that machine?
-
- 8.9 I'm trying to capture Ethernet VLAN traffic on Windows, and I'm
- capturing on a "raw" Ethernet device rather than a "VLAN interface", so
- that I can see the VLAN headers; why am I seeing packets received by
- the machine on which I'm capturing traffic, but not packets sent by
- that machine?
-
- 9. Capturing packets on UN*Xes:
-
- 9.1 I'm running Wireshark on a UNIX-flavored OS; why does some network
- interface on my machine not show up in the list of interfaces in the
- "Interface:" field in the dialog box popped up by "Capture->Start",
- and/or why does Wireshark give me an error if I try to capture on that
- interface?
-
- 9.2 I'm running Wireshark on a UNIX-flavored OS; why do no network
- interfaces show up in the list of interfaces in the "Interface:" field
- in the dialog box popped up by "Capture->Start"?
-
- 9.3 I'm capturing packets on Linux; why do the time stamps have only
- 100ms resolution, rather than 1us resolution?
-
- 10. Capturing packets on wireless LANs:
-
- 10.1 How can I capture raw 802.11 frames, including non-data
- (management, beacon) frames?
-
- 10.2 How do I capture on an 802.11 device in monitor mode?
-
- 11. Viewing traffic:
-
- 11.1 Why am I seeing lots of packets with incorrect TCP checksums?
-
- 11.2 I've just installed Wireshark, and the traffic on my local LAN is
- boring. Where can I find more interesting captures?
-
- 11.3 Why doesn't Wireshark correctly identify RTP packets? It shows
- them only as UDP.
-
- 11.4 Why doesn't Wireshark show Yahoo Messenger packets in captures
- that contain Yahoo Messenger traffic?
-
- 12. Filtering traffic:
-
- 12.1 I saved a filter and tried to use its name to filter the display;
- why do I get an "Unexpected end of filter string" error?
-
- 12.2 How can I search for, or filter, packets that have a particular
- string anywhere in them?
-
- 12.3 How do I filter a capture to see traffic for virus XXX?
-
- 1. General Questions
-
- Q 1.1: What is Wireshark?
-
- A: Wireshark® is the world's most popular network protocol analyzer. It
- has a rich and powerful feature set and runs on most computing
- platforms including Windows, OS X, Linux, and UNIX. Network
- professionals, security experts, developers, and educators around the
- world use it regularly. It is freely available as open source, and is
- released under the GNU General Public License version 2.
- It is developed and maintained by a global team of protocol experts,
- and it is an example of a disruptive technology.
- Wireshark used to be known as Ethereal®. See the next question for
- details about the name change. If you're still using Ethereal, it is
- strongly recommended that you upgrade to Wireshark.
- For more information, please see the About Wireshark page.
-
- Q 1.2: What's up with the name change? Is Wireshark a fork?
-
- A: In May of 2006, Gerald Combs (the original author of Ethereal) went
- to work for CACE Technologies (best known for WinPcap). Unfortunately,
- he had to leave the Ethereal trademarks behind.
- This left the project in an awkward position. The only reasonable way
- to ensure the continued success of the project was to change the name.
- This is how Wireshark was born.
- Wireshark is almost (but not quite) a fork. Normally a "fork" of an
- open source project results in two names, web sites, development teams,
- support infrastructures, etc. This is the case with Wireshark except
- for one notable exception -- every member of the core development team
- is now working on Wireshark. There has been no active development on
- Ethereal since the name change. Several parts of the Ethereal web site
- (such as the mailing lists, source code repository, and build farm)
- have gone offline.
- More information on the name change can be found here:
- *
- *
- * Many other articles in
-
- Q 1.3: Where can I get help?
-
- A: Community support is available on the wireshark-users mailing list.
- Subscription information and archives for all of Wireshark's mailing
- lists can be found at http://www.wireshark.org/mailman/listinfo. An IRC
- channel dedicated to Wireshark can be found at
- irc://irc.freenode.net/wireshark.
- Self-paced and instructor-led training is available at Wireshark
- University. A certification program will be announced in Q3 2007.
- Commercial support and development services are available from CACE
- Technologies.
-
- Q 1.4: What kind of shark is Wireshark?
-
- A: carcharodon photoshopia.
-
- Q 1.5: How is Wireshark pronounced, spelled and capitalized?
-
- A: Wireshark is pronounced as the word wire followed immediately by the
- word shark. Exact pronunciation and emphasis may vary depending on your
- locale (e.g. Arkansas).
- It's spelled with a capital W, followed by a lower-case ireshark. It is
- not a CamelCase word, i.e., WireShark is incorrect.
-
- Q 1.6: How much does Wireshark cost?
-
- A: Wireshark is "free software"; you can download it without paying any
- license fee. The version of Wireshark you download isn't a "demo"
- version, with limitations not present in a "full" version; it is the
- full version.
- The license under which Wireshark is issued is the GNU General Public
- License. See the GNU GPL FAQ for some more information.
-
- Q 1.7: Can I use Wireshark commercially?
-
- A: Yes, if, for example, you mean "I work for a commercial
- organization; can I use Wireshark to capture and analyze network
- traffic in our company's networks or in our customer's networks?"
- If you mean "Can I use Wireshark as part of my commercial product?",
- see the next entry in the FAQ.
-
- Q 1.8: Can I use Wireshark as part of my commercial product?
-
- A: As noted, Wireshark is licensed under the GNU General Public
- License. The GPL imposes conditions on your use of GPL'ed code in your
- own products; you cannot, for example, make a "derived work" from
- Wireshark, by making modifications to it, and then sell the resulting
- derived work and not allow recipients to give away the resulting work.
- You must also make the changes you've made to the Wireshark source
- available to all recipients of your modified version; those changes
- must also be licensed under the terms of the GPL. See the GPL FAQ for
- more details; in particular, note the answer to the question about
- modifying a GPLed program and selling it commercially, and the question
- about linking GPLed code with other code to make a proprietary program.
- You can combine a GPLed program such as Wireshark and a commercial
- program as long as they communicate "at arm's length", as per this item
- in the GPL FAQ.
-
- Q 1.9: What protocols are currently supported?
-
- A: There are currently hundreds of supported protocols and media.
- Details can be found in the wireshark(1) man page.
-
- Q 1.10: Are there any plans to support {your favorite protocol}?
-
- A: Support for particular protocols is added to Wireshark as a result
- of people contributing that support; no formal plans for adding support
- for particular protocols in particular future releases exist.
-
- Q 1.11: Can Wireshark read capture files from {your favorite network
- analyzer}?
-
- A: Support for particular protocols is added to Wireshark as a result
- of people contributing that support; no formal plans for adding support
- for particular protocols in particular future releases exist.
- If a network analyzer writes out files in a format already supported by
- Wireshark (e.g., in libpcap format), Wireshark may already be able to
- read them, unless the analyzer has added its own proprietary extensions
- to that format.
- If a network analyzer writes out files in its own format, or has added
- proprietary extensions to another format, in order to make Wireshark
- read captures from that network analyzer, we would either have to have
- a specification for the file format, or the extensions, sufficient to
- give us enough information to read the parts of the file relevant to
- Wireshark, or would need at least one capture file in that format AND a
- detailed textual analysis of the packets in that capture file (showing
- packet time stamps, packet lengths, and the top-level packet header) in
- order to reverse-engineer the file format.
- Note that there is no guarantee that we will be able to
- reverse-engineer a capture file format.
-
- Q 1.12: What devices can Wireshark use to capture packets?
-
- A: Wireshark can read live data from Ethernet, Token-Ring, FDDI, serial
- (PPP and SLIP) (if the OS on which it's running allows Wireshark to do
- so), 802.11 wireless LAN (if the OS on which it's running allows
- Wireshark to do so), ATM connections (if the OS on which it's running
- allows Wireshark to do so), and the "any" device supported on Linux by
- recent versions of libpcap.
- See the list of supported capture media on various OSes for details
- (several items in there say "Unknown", which doesn't mean "Wireshark
- can't capture on them", it means "we don't know whether it can capture
- on them"; we expect that it will be able to capture on many of them,
- but we haven't tried it ourselves - if you try one of those types and
- it works, please update the wiki page accordingly.
- It can also read a variety of capture file formats, including:
- * AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp/Packet
- Grabber captures
- * AIX's iptrace captures
- * Accellent's 5Views LAN agent output
- * Cinco Networks NetXRay captures
- * Cisco Secure Intrusion Detection System IPLog output
- * CoSine L2 debug output
- * DBS Etherwatch VMS text output
- * Endace Measurement Systems' ERF format captures
- * EyeSDN USB S0 traces
- * HP-UX nettl captures
- * ISDN4BSD project i4btrace captures
- * Linux Bluez Bluetooth stack hcidump -w traces
- * Lucent/Ascend router debug output
- * Microsoft Network Monitor captures
- * Network Associates Windows-based Sniffer captures
- * Network General/Network Associates DOS-based Sniffer (compressed or
- uncompressed) captures
- * Network Instruments Observer version 9 captures
- * Novell LANalyzer captures
- * RADCOM's WAN/LAN analyzer captures
- * Shomiti/Finisar Surveyor captures
- * Toshiba's ISDN routers dump output
- * VMS TCPIPtrace/TCPtrace/UCX$TRACE output
- * Visual Networks' Visual UpTime traffic capture
- * libpcap, tcpdump and various other tools using tcpdump's capture
- format
- * snoop and atmsnoop output
-
- so that it can read traces from various network types, as captured by
- other applications or equipment, even if it cannot itself capture on
- those network types.
-
- Q 1.13: Does Wireshark work on Windows Vista?
-
- A: Yes, but if you want to capture packets, you must make sure npf.sys
- is loaded. You can do this by selecting Start WinPcap service "NPF" at
- startup in the installer or by running sc config npf start= auto as
- Administrator from the command line. You can also run Wireshark as
- Administrator, but this is discouraged. See the CaputrePrivileges page
- on the wiki for more details.
-
- 2. Downloading Wireshark
-
- Q 2.1: Why do I get an error when I try to run the Win32 installer?
-
- A: The program you used to download it may have downloaded it
- incorrectly. Web browsers and download accelerators sometimes may do
- this.
- Try downloading it with, for example:
- * Wget, for which Windows binaries are available from Christopher
- Lewis or wGetGUI, which offers a GUI interface that uses wget;
- * WS_FTP from Ipswitch,
- * the ftp command that comes with Windows.
-
- If you use the ftp command, make sure you do the transfer in binary
- mode rather than ASCII mode, by using the binary command before
- transferring the file.
-
- 3. Installing Wireshark
-
- Q 3.1: I installed the Wireshark RPM (or other package); why did it
- install TShark but not Wireshark?
-
- A: Many distributions have separate Wireshark packages, one for non-GUI
- components such as TShark, editcap, dumpcap, etc. and one for the GUI.
- If this is the case on your system, there's probably a separate package
- named wireshark-gnome or wireshark-gtk+. Find it and install it.
-
- 4. Building Wireshark
-
- Q 4.1: I have libpcap installed; why did the configure script not find
- pcap.h or bpf.h?
-
- A: Are you sure pcap.h and bpf.h are installed? The official
- distribution of libpcap only installs the libpcap.a library file when
- "make install" is run. To install pcap.h and bpf.h, you must run "make
- install-incl". If you're running Debian or Redhat, make sure you have
- the "libpcap-dev" or "libpcap-devel" packages installed.
- It's also possible that pcap.h and bpf.h have been installed in a
- strange location. If this is the case, you may have to tweak
- aclocal.m4.
-
- Q 4.2: Why do I get the error
-
- dftest_DEPENDENCIES was already defined in condition TRUE, which
- implies condition HAVE_PLUGINS_TRUE
-
- when I try to build Wireshark from SVN or a SVN snapshot?
-
- A: You probably have automake 1.5 installed on your machine (the
- command automake --version will report the version of automake on your
- machine). There is a bug in that version of automake that causes this
- problem; upgrade to a later version of automake (1.6 or later).
-
- Q 4.3: Why does the linker fail with a number of "Output line too
- long." messages followed by linker errors when I try to buil Wireshark?
-
- A: The version of the sed command on your system is incapable of
- handling very long lines. On Solaris, for example, /usr/bin/sed has a
- line length limit too low to allow libtool to work; /usr/xpg4/bin/sed
- can handle it, as can GNU sed if you have it installed.
- On Solaris, changing your command search path to search /usr/xpg4/bin
- before /usr/bin should make the problem go away; on any platform on
- which you have this problem, installing GNU sed and changing your
- command path to search the directory in which it is installed before
- searching the directory with the version of sed that came with the OS
- should make the problem go away.
-
- Q 4.4: When I try to build Wireshark on Solaris, why does the link fail
- complaining that plugin_list is undefined?
-
- A: This appears to be due to a problem with some versions of the GTK+
- and GLib packages from www.sunfreeware.org; un-install those packages,
- and try getting the 1.2.10 versions from that site, or the versions
- from The Written Word, or the versions from Sun's GNOME distribution,
- or the versions from the supplemental software CD that comes with the
- Solaris media kit, or build them from source from the GTK Web site.
- Then re-run the configuration script, and try rebuilding Wireshark. (If
- you get the 1.2.10 versions from www.sunfreeware.org, and the problem
- persists, un-install them and try installing one of the other versions
- mentioned.)
-
- Q 4.5: When I try to build Wireshark on Windows, why does the build
- fail because of conflicts between winsock.h and winsock2.h?
-
- A: As of Wireshark 0.9.5, you must install WinPcap 2.3 or later, and
- the corresponding version of the developer's pack, in order to be able
- to compile Wireshark; it will not compile with older versions of the
- developer's pack. The symptoms of this failure are conflicts between
- definitions in winsock.h and in winsock2.h; Wireshark uses winsock2.h,
- but pre-2.3 versions of the WinPcap developer's packet use winsock.h.
- (2.3 uses winsock2.h, so if Wireshark were to use winsock.h, it would
- not be able to build with current versions of the WinPcap developer's
- pack.)
- Note that the installed version of the developer's pack should be the
- same version as the version of WinPcap you have installed.
-
- 5. Starting Wireshark
-
- Q 5.1: Why does Wireshark crash with a Bus Error when I try to run it
- on Solaris 8?
-
- A: Some versions of the GTK+ library from www.sunfreeware.org appear to
- be buggy, causing Wireshark to drop core with a Bus Error. Un-install
- those packages, and try getting the 1.2.10 version from that site, or
- the version from The Written Word, or the version from Sun's GNOME
- distribution, or the version from the supplemental software CD that
- comes with the Solaris media kit, or build it from source from the GTK
- Web site. Update the GLib library to the 1.2.10 version, from the same
- source, as well. (If you get the 1.2.10 versions from
- www.sunfreeware.org, and the problem persists, un-install them and try
- installing one of the other versions mentioned.)
- Similar problems may exist with older versions of GTK+ for earlier
- versions of Solaris.
-
- Q 5.2: When I run Wireshark on Windows NT, why does it die with a Dr.
- Watson error, reporting an "Integer division by zero" exception, when I
- start it?
-
- A: In at least some case, this appears to be due to using the default
- VGA driver; if that's not the correct driver for your video card, try
- running the correct driver for your video card.
-
- Q 5.3: When I try to run Wireshark, why does it complain about
- sprint_realloc_objid being undefined?
-
- A: Wireshark can only be linked with version 4.2.2 or later of UCD
- SNMP. Your version of Wireshark was dynamically linked with such a
- version of UCD SNMP; however, you have an older version of UCD SNMP
- installed, which means that when Wireshark is run, it tries to link to
- the older version, and fails. You will have to replace that version of
- UCD SNMP with version 4.2.2 or a later version.
-
- Q 5.4: I've installed Wireshark from Fink on Mac OS X; why is it very
- slow to start up?
-
- A: When an application is installed on OS X, prior to 10.4, it is
- usually "prebound" to speed up launching the application. (That's what
- the "Optimizing" phase of installation is.)
- Fink normally performs prebinding automatically when you install a
- package. However, in some rare cases, for whatever reason the
- prebinding caches get corrupt, and then not only does prebinding fail,
- but startup actually becomes much slower, because the system tries in
- vain to perform prebinding "on the fly" as you launch the application.
- This fails, causing sometimes huge delays.
- To fix the prebinding caches, run the command
- sudo /sw/var/lib/fink/prebound/update-package-prebinding.pl -f
-
- 6. Crashes and other fatal errors
-
- Q 6.1: I have an XXX network card on my machine; if I try to capture on
- it, why does my machine crash or reset itself?
-
- A: This is almost certainly a problem with one or more of:
- * the operating system you're using;
- * the device driver for the interface you're using;
- * the libpcap/WinPcap library and, if this is Windows, the WinPcap
- device driver;
-
- so:
- * if you are using Windows, see the WinPcap support page - check the
- "Submitting bugs" section;
- * if you are using some Linux distribution, some version of BSD, or
- some other UNIX-flavored OS, you should report the problem to the
- company or organization that produces the OS (in the case of a
- Linux distribution, report the problem to whoever produces the
- distribution).
-
- Q 6.2: Why does my machine crash or reset itself when I select "Start"
- from the "Capture" menu or select "Preferences" from the "Edit" menu?
-
- A: Both of those operations cause Wireshark to try to build a list of
- the interfaces that it can open; it does so by getting a list of
- interfaces and trying to open them. There is probably an OS, driver,
- or, for Windows, WinPcap bug that causes the system to crash when this
- happens; see the previous question.
-
- 7. Capturing packets
-
- Q 7.1: When I use Wireshark to capture packets, why do I see only
- packets to and from my machine, or not see all the traffic I'm
- expecting to see from or to the machine I'm trying to monitor?
-
- A: This might be because the interface on which you're capturing is
- plugged into an Ethernet or Token Ring switch; on a switched network,
- unicast traffic between two ports will not necessarily appear on other
- ports - only broadcast and multicast traffic will be sent to all ports.
- Note that even if your machine is plugged into a hub, the "hub" may be
- a switched hub, in which case you're still on a switched network.
- Note also that on the Linksys Web site, they say that their
- auto-sensing hubs "broadcast the 10Mb packets to the port that operate
- at 10Mb only and broadcast the 100Mb packets to the ports that operate
- at 100Mb only", which would indicate that if you sniff on a 10Mb port,
- you will not see traffic coming sent to a 100Mb port, and vice versa.
- This problem has also been reported for Netgear dual-speed hubs, and
- may exist for other "auto-sensing" or "dual-speed" hubs.
- Some switches have the ability to replicate all traffic on all ports to
- a single port so that you can plug your analyzer into that single port
- to sniff all traffic. You would have to check the documentation for the
- switch to see if this is possible and, if so, to see how to do this.
- See the switch reference page on the Wireshark Wiki for information on
- some switches. (Note that it's a Wiki, so you can update or fix that
- information, or add additional information on those switches or
- information on new switches, yourself.)
- Note also that many firewall/NAT boxes have a switch built into them;
- this includes many of the "cable/DSL router" boxes. If you have a box
- of that sort, that has a switch with some number of Ethernet ports into
- which you plug machines on your network, and another Ethernet port used
- to connect to a cable or DSL modem, you can, at least, sniff traffic
- between the machines on your network and the Internet by plugging the
- Ethernet port on the router going to the modem, the Ethernet port on
- the modem, and the machine on which you're running Wireshark into a hub
- (make sure it's not a switching hub, and that, if it's a dual-speed
- hub, all three of those ports are running at the same speed.
- If your machine is not plugged into a switched network or a dual-speed
- hub, or it is plugged into a switched network but the port is set up to
- have all traffic replicated to it, the problem might be that the
- network interface on which you're capturing doesn't support
- "promiscuous" mode, or because your OS can't put the interface into
- promiscuous mode. Normally, network interfaces supply to the host only:
- * packets sent to one of that host's link-layer addresses;
- * broadcast packets;
- * multicast packets sent to a multicast address that the host has
- configured the interface to accept.
-
- Most network interfaces can also be put in "promiscuous" mode, in which
- they supply to the host all network packets they see. Wireshark will
- try to put the interface on which it's capturing into promiscuous mode
- unless the "Capture packets in promiscuous mode" option is turned off
- in the "Capture Options" dialog box, and TShark will try to put the
- interface on which it's capturing into promiscuous mode unless the -p
- option was specified. However, some network interfaces don't support
- promiscuous mode, and some OSes might not allow interfaces to be put
- into promiscuous mode.
- If the interface is not running in promiscuous mode, it won't see any
- traffic that isn't intended to be seen by your machine. It will see
- broadcast packets, and multicast packets sent to a multicast MAC
- address the interface is set up to receive.
- You should ask the vendor of your network interface whether it supports
- promiscuous mode. If it does, you should ask whoever supplied the
- driver for the interface (the vendor, or the supplier of the OS you're
- running on your machine) whether it supports promiscuous mode with that
- network interface.
- In the case of token ring interfaces, the drivers for some of them, on
- Windows, may require you to enable promiscuous mode in order to capture
- in promiscuous mode. See the Wireshark Wiki item on Token Ring
- capturing for details.
- In the case of wireless LAN interfaces, it appears that, when those
- interfaces are promiscuously sniffing, they're running in a
- significantly different mode from the mode that they run in when
- they're just acting as network interfaces (to the extent that it would
- be a significant effor for those drivers to support for promiscuously
- sniffing and acting as regular network interfaces at the same time), so
- it may be that Windows drivers for those interfaces don't support
- promiscuous mode.
-
- Q 7.2: When I capture with Wireshark, why can't I see any TCP packets
- other than packets to and from my machine, even though another analyzer
- on the network sees those packets?
-
- A: You're probably not seeing any packets other than unicast packets to
- or from your machine, and broadcast and multicast packets; a switch
- will normally send to a port only unicast traffic sent to the MAC
- address for the interface on that port, and broadcast and multicast
- traffic - it won't send to that port unicast traffic sent to a MAC
- address for some other interface - and a network interface not in
- promiscuous mode will receive only unicast traffic sent to the MAC
- address for that interface, broadcast traffic, and multicast traffic
- sent to a multicast MAC address the interface is set up to receive.
- TCP doesn't use broadcast or multicast, so you will only see your own
- TCP traffic, but UDP services may use broadcast or multicast so you'll
- see some UDP traffic - however, this is not a problem with TCP traffic,
- it's a problem with unicast traffic, as you also won't see all UDP
- traffic between other machines.
- I.e., this is probably the same question as this earlier one; see the
- response to that question.
-
- Q 7.3: Why am I only seeing ARP packets when I try to capture traffic?
-
- A: You're probably on a switched network, and running Wireshark on a
- machine that's not sending traffic to the switch and not being sent any
- traffic from other machines on the switch. ARP packets are often
- broadcast packets, which are sent to all switch ports.
- I.e., this is probably the same question as this earlier one; see the
- response to that question.
-
- Q 7.4: Why am I not seeing any traffic when I try to capture traffic?
-
- A: Is the machine running Wireshark sending out any traffic on the
- network interface on which you're capturing, or receiving any traffic
- on that network, or is there any broadcast traffic on the network or
- multicast traffic to a multicast group to which the machine running
- Wireshark belongs?
- If not, this may just be a problem with promiscuous sniffing, either
- due to running on a switched network or a dual-speed hub, or due to
- problems with the interface not supporting promiscuous mode; see the
- response to this earlier question.
- Otherwise, on Windows, see the response to this question and, on a
- UNIX-flavored OS, see the response to this question.
-
- Q 7.5: Can Wireshark capture on (my T1/E1 line, SS7 links, etc.)?
-
- A: Wireshark can only capture on devices supported by libpcap/WinPcap.
- On most OSes, only devices that can act as network interfaces of the
- type that support IP are supported as capture devices for
- libpcap/WinPcap, although the device doesn't necessarily have to be
- running as an IP interface in order to support traffic capture.
- On Linux and FreeBSD, libpcap 0.8 and later support the API for Endace
- Measurement Systems' DAG cards, so that a system with one of those
- cards, and its driver and libraries, installed can capture traffic with
- those cards with libpcap-based applications. You would either have to
- have a version of Wireshark built with that version of libpcap, or a
- dynamically-linked version of Wireshark and a shared libpcap library
- with DAG support, in order to do so with Wireshark. You should ask
- Endace whether that could be used to capture traffic on, for example,
- your T1/E1 link.
- See the SS7 capture setup page on the Wireshark Wiki for current
- information on capturing SS7 traffic on TDM links.
-
- Q 7.6: How do I put an interface into promiscuous mode?
-
- A: By not disabling promiscuous mode when running Wireshark or TShark.
- Note, however, that:
- * the form of promiscuous mode that libpcap (the library that
- programs such as tcpdump, Wireshark, etc. use to do packet capture)
- turns on will not necessarily be shown if you run ifconfig on the
- interface on a UNIX system;
- * some network interfaces might not support promiscuous mode, and
- some drivers might not allow promiscuous mode to be turned on - see
- this earlier question for more information on that;
- * the fact that you're not seeing any traffic, or are only seeing
- broadcast traffic, or aren't seeing any non-broadcast traffic other
- than traffic to or from the machine running Wireshark, does not
- mean that promiscuous mode isn't on - see this earlier question for
- more information on that.
-
- I.e., this is probably the same question as this earlier one; see the
- response to that question.
-
- Q 7.7: I can set a display filter just fine; why don't capture filters
- work?
-
- A: Capture filters currently use a different syntax than display
- filters. Here's the corresponding section from the wireshark(1) man
- page:
- "Display filters in Wireshark are very powerful; more fields are
- filterable in Wireshark than in other protocol analyzers, and the
- syntax you can use to create your filters is richer. As Wireshark
- progresses, expect more and more protocol fields to be allowed in
- display filters.
- Packet capturing is performed with the pcap library. The capture filter
- syntax follows the rules of the pcap library. This syntax is different
- from the display filter syntax."
- The capture filter syntax used by libpcap can be found in the
- tcpdump(8) man page.
-
- Q 7.8: I'm entering valid capture filters; why do I still get "parse
- error" errors?
-
- A: There is a bug in some versions of libpcap/WinPcap that cause it to
- report parse errors even for valid expressions if a previous filter
- expression was invalid and got a parse error.
- Try exiting and restarting Wireshark; if you are using a version of
- libpcap/WinPcap with this bug, this will "erase" its memory of the
- previous parse error. If the capture filter that got the "parse error"
- now works, the earlier error with that filter was probably due to this
- bug.
- The bug was fixed in libpcap 0.6; 0.4[.x] and 0.5[.x] versions of
- libpcap have this bug, but 0.6[.x] and later versions don't.
- Versions of WinPcap prior to 2.3 are based on pre-0.6 versions of
- libpcap, and have this bug; WinPcap 2.3 is based on libpcap 0.6.2, and
- doesn't have this bug.
- If you are running Wireshark on a UNIX-flavored platform, run
- "wireshark -v", or select "About Wireshark..." from the "Help" menu in
- Wireshark, to see what version of libpcap it's using. If it's not 0.6
- or later, you will need either to upgrade your OS to get a later
- version of libpcap, or will need to build and install a later version
- of libpcap from the tcpdump.org Web site and then recompile Wireshark
- from source with that later version of libpcap.
- If you are running Wireshark on Windows with a pre-2.3 version of
- WinPcap, you will need to un-install WinPcap and then download and
- install WinPcap 2.3.
-
- Q 7.9: How can I capture packets with CRC errors?
-
- A: Wireshark can capture only the packets that the packet capture
- library - libpcap on UNIX-flavored OSes, and the WinPcap port to
- Windows of libpcap on Windows - can capture, and libpcap/WinPcap can
- capture only the packets that the OS's raw packet capture mechanism (or
- the WinPcap driver, and the underlying OS networking code and network
- interface drivers, on Windows) will allow it to capture.
- Unless the OS always supplies packets with errors such as invalid CRCs
- to the raw packet capture mechanism, or can be configured to do so,
- invalid CRCs to the raw packet capture mechanism, Wireshark - and other
- programs that capture raw packets, such as tcpdump - cannot capture
- those packets. You will have to determine whether your OS needs to be
- so configured and, if so, can be so configured, configure it if
- necessary and possible, and make whatever changes to libpcap and the
- packet capture program you're using are necessary, if any, to support
- capturing those packets.
- Most OSes probably do not support capturing packets with invalid CRCs
- on Ethernet, and probably do not support it on most other link-layer
- types. Some drivers on some OSes do support it, such as some Ethernet
- drivers on FreeBSD; in those OSes, you might always get those packets,
- or you might only get them if you capture in promiscuous mode (you'd
- have to determine which is the case).
- Note that libpcap does not currently supply to programs that use it an
- indication of whether the packet's CRC was invalid (because the drivers
- themselves do not supply that information to the raw packet capture
- mechanism); therefore, Wireshark will not indicate which packets had
- CRC errors unless the FCS was captured (see the next question) and
- you're using Wireshark 0.9.15 and later, in which case Wireshark will
- check the CRC and indicate whether it's correct or not.
-
- Q 7.10: How can I capture entire frames, including the FCS?
-
- A: Wireshark can only capture data that the packet capture library -
- libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of
- libpcap on Windows - can capture, and libpcap/WinPcap can capture only
- the data that the OS's raw packet capture mechanism (or the WinPcap
- driver, and the underlying OS networking code and network interface
- drivers, on Windows) will allow it to capture.
- For any particular link-layer network type, unless the OS supplies the
- FCS of a frame as part of the frame, or can be configured to do so,
- Wireshark - and other programs that capture raw packets, such as
- tcpdump - cannot capture the FCS of a frame. You will have to determine
- whether your OS needs to be so configured and, if so, can be so
- configured, configure it if necessary and possible, and make whatever
- changes to libpcap and the packet capture program you're using are
- necessary, if any, to support capturing the FCS of a frame.
- Most OSes do not support capturing the FCS of a frame on Ethernet, and
- probably do not support it on most other link-layer types. Some drivres
- on some OSes do support it, such as some (all?) Ethernet drivers on
- NetBSD and possibly the driver for Apple's gigabit Ethernet interface
- in Mac OS X; in those OSes, you might always get the FCS, or you might
- only get the FCS if you capture in promiscuous mode (you'd have to
- determine which is the case).
- Versions of Wireshark prior to 0.9.15 will not treat an Ethernet FCS in
- a captured packet as an FCS. 0.9.15 and later will attempt to determine
- whether there's an FCS at the end of the frame and, if it thinks there
- is, will display it as such, and will check whether it's the correct
- CRC-32 value or not.
-
- Q 7.11: I'm capturing packets on a machine on a VLAN; why don't the
- packets I'm capturing have VLAN tags?
-
- A: You might be capturing on what might be called a "VLAN interface" -
- the way a particular OS makes VLANs plug into the networking stack
- might, for example, be to have a network device object for the physical
- interface, which takes VLAN packets, strips off the VLAN header and
- constructs an Ethernet header, and passes that packet to an internal
- network device object for the VLAN, which then passes the packets onto
- various higher-level protocol implementations.
- In order to see the raw Ethernet packets, rather than "de-VLANized"
- packets, you would have to capture not on the virtual interface for the
- VLAN, but on the interface corresponding to the physical network
- device, if possible. See the Wireshark Wiki item on VLAN capturing for
- details.
-
- Q 7.12: Why does Wireshark hang after I stop a capture?
-
- A: The most likely reason for this is that Wireshark is trying to look
- up an IP address in the capture to convert it to a name (so that, for
- example, it can display the name in the source address or destination
- address columns), and that lookup process is taking a very long time.
- Wireshark calls a routine in the OS of the machine on which it's
- running to convert of IP addresses to the corresponding names. That
- routine probably does one or more of:
- * a search of a system file listing IP addresses and names;
- * a lookup using DNS;
- * on UNIX systems, a lookup using NIS;
- * on Windows systems, a NetBIOS-over-TCP query.
-
- If a DNS server that's used in an address lookup is not responding, the
- lookup will fail, but will only fail after a timeout while the system
- routine waits for a reply.
- In addition, on Windows systems, if the DNS lookup of the address
- fails, either because the server isn't responding or because there are
- no records in the DNS that could be used to map the address to a name,
- a NetBIOS-over-TCP query will be made. That query involves sending a
- message to the NetBIOS-over-TCP name service on that machine, asking
- for the name and other information about the machine. If the machine
- isn't running software that responds to those queries - for example,
- many non-Windows machines wouldn't be running that software - the
- lookup will only fail after a timeout. Those timeouts can cause the
- lookup to take a long time.
- If you disable network address-to-name translation - for example, by
- turning off the "Enable network name resolution" option in the "Capture
- Options" dialog box for starting a network capture - the lookups of the
- address won't be done, which may speed up the process of reading the
- capture file after the capture is stopped. You can make that setting
- the default by selecting "Preferences" from the "Edit" menu, turning
- off the "Enable network name resolution" option in the "Name
- resolution" options in the preferences disalog box, and using the
- "Save" button in that dialog box; note that this will save all your
- current preference settings.
- If Wireshark hangs when reading a capture even with network name
- resolution turned off, there might, for example, be a bug in one of
- Wireshark's dissectors for a protocol causing it to loop infinitely. If
- you're not running the most recent release of Wireshark, you should
- first upgrade to that release, as, if there's a bug of that sort, it
- might've been fixed in a release after the one you're running. If the
- hang occurs in the most recent release of Wireshark, the bug should be
- reported to the Wireshark developers' mailing list at
- wireshark-dev@wireshark.org.
- On UNIX-flavored OSes, please try to force Wireshark to dump core, by
- sending it a SIGABRT signal (usually signal 6) with the kill command,
- and then get a stack trace if you have a debugger installed. A stack
- trace can be obtained by using your debugger (gdb in this example), the
- Wireshark binary, and the resulting core file. Here's an example of how
- to use the gdb command backtrace to do so.
- $ gdb wireshark core
- (gdb) backtrace
- ..... prints the stack trace
- (gdb) quit
- $
-
- The core dump file may be named "wireshark.core" rather than "core" on
- some platforms (e.g., BSD systems).
- Also, if at all possible, please send a copy of the capture file that
- caused the problem; when capturing packets, Wireshark normally writes
- captured packets to a temporary file, which will probably be in /tmp or
- /var/tmp on UNIX-flavored OSes, \TEMP on the main system disk (normally
- C:) on Windows 9x/Me/NT 4.0, and \Documents and Settings\your login
- name\Local Settings\Temp on the main system disk on Windows
- 2000/Windows XP/Windows Server 2003, so the capture file will probably
- be there. It will have a name beginning with ether, with some mixture
- of letters and numbers after that. Please don't send a trace file
- greater than 1 MB when compressed; instead, make it available via FTP
- or HTTP, or say it's available but leave it up to a developer to ask
- for it. If the trace file contains sensitive information (e.g.,
- passwords), then please do not send it.
-
- 8. Capturing packets on Windows
-
- Q 8.1: I'm running Wireshark on Windows; why does some network
- interface on my machine not show up in the list of interfaces in the
- "Interface:" field in the dialog box popped up by "Capture->Start",
- and/or why does Wireshark give me an error if I try to capture on that
- interface?
-
- A: If you are running Wireshark on Windows NT 4.0, Windows 2000,
- Windows XP, or Windows Server 2003, and this is the first time you have
- run a WinPcap-based program (such as Wireshark, or TShark, or WinDump,
- or Analyzer, or...) since the machine was rebooted, you need to run
- that program from an account with administrator privileges; once you
- have run such a program, you will not need administrator privileges to
- run any such programs until you reboot.
- If you are running on Windows Windows 2000/Windows XP/Windows Server
- 2003 and have administrator privileges or a WinPcap-based program has
- been run with those privileges since the machine rebooted, this problem
- might clear up if you completely un-install WinPcap and then re-install
- it.
- If that doesn't work, then note that Wireshark relies on the WinPcap
- library, on the WinPcap device driver, and on the facilities that come
- with the OS on which it's running in order to do captures.
- Therefore, if the OS, the WinPcap library, or the WinPcap driver don't
- support capturing on a particular network interface device, Wireshark
- won't be able to capture on that device.
- Note that:
- 1. 2.02 and earlier versions of the WinPcap driver and library that
- Wireshark uses for packet capture didn't support Token Ring
- interfaces; versions 2.1 and later support Token Ring, and the
- current version of Wireshark works with (and, in fact, requires)
- WinPcap 2.1 or later.
- If you are having problems capturing on Token Ring interfaces, and
- you have WinPcap 2.02 or an earlier version of WinPcap installed,
- you should uninstall WinPcap, download and install the current
- version of WinPcap, and then install the latest version of
- Wireshark.
- 2. WinPcap 2.3 has problems supporting PPP WAN interfaces on Windows
- NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, and, to
- avoid those problems, support for PPP WAN interfaces on those
- versions of Windows has been disabled in WinPcap 3.0. Regular
- dial-up lines, ISDN lines, ADSL connections using PPPoE or PPPoA,
- and various other lines such as T1/E1 lines are all PPP interfaces,
- so those interfaces might not show up on the list of interfaces in
- the "Capture Options" dialog on those OSes.
- On Windows 2000, Windows XP, and Windows Server 2003, but not
- Windows NT 4.0 or Windows Vista Beta 1, you should be able to
- capture on the "GenericDialupAdapter" with WinPcap 3.1. (3.1 beta
- releases called it the "NdisWanAdapter"; if you're using a 3.1 beta
- release, you should un-install it and install the final 3.1
- release.) See the Wireshark Wiki item on PPP capturing for details.
- 3. WinPcap prior to 3.0 does not support multiprocessor machines (note
- that machines with a single multi-threaded processor, such as
- Intel's new multi-threaded x86 processors, are multiprocessor
- machines as far as the OS and WinPcap are concerned), and recent
- 2.x versions of WinPcap refuse to operate if they detect that
- they're running on a multiprocessor machine, which means that they
- may not show any network interfaces. You will need to use WinPcap
- 3.0 to capture on a multiprocessor machine.
-
- If an interface doesn't show up in the list of interfaces in the
- "Interface:" field, and you know the name of the interface, try
- entering that name in the "Interface:" field and capturing on that
- device.
- If the attempt to capture on it succeeds, the interface is somehow not
- being reported by the mechanism Wireshark uses to get a list of
- interfaces. Try listing the interfaces with WinDump; see the WinDump
- Web site for information on using WinDump.
- You would run WinDump with the -D flag; if it lists the interface,
- please report this to wireshark-dev@wireshark.org giving full details
- of the problem, including
- * the operating system you're using, and the version of that
- operating system;
- * the type of network device you're using;
- * the output of WinDump.
-
- If WinDump does not list the interface, this is almost certainly a
- problem with one or more of:
- * the operating system you're using;
- * the device driver for the interface you're using;
- * the WinPcap library and/or the WinPcap device driver;
-
- so first check the WinPcap FAQ or the Wiretapped.net mirror of that
- FAQ, to see if your problem is mentioned there. If not, then see the
- WinPcap support page - check the "Submitting bugs" section.
- If you are having trouble capturing on a particular network interface,
- first try capturing on that device with WinDump; see the WinDump Web
- site for information on using WinDump.
- If you can capture on the interface with WinDump, send mail to
- wireshark-users@wireshark.org giving full details of the problem,
- including
- * the operating system you're using, and the version of that
- operating system;
- * the type of network device you're using;
- * the error message you get from Wireshark.
-
- If you cannot capture on the interface with WinDump, this is almost
- certainly a problem with one or more of:
- * the operating system you're using;
- * the device driver for the interface you're using;
- * the WinPcap library and/or the WinPcap device driver;
-
- so first check the WinPcap FAQ or the Wiretapped.net mirror of that
- FAQ, to see if your problem is mentioned there. If not, then see the
- WinPcap support page - check the "Submitting bugs" section.
- You may also want to ask the wireshark-users@wireshark.org and the
- winpcap-users@winpcap.org mailing lists to see if anybody happens to
- know about the problem and know a workaround or fix for the problem.
- (Note that you will have to subscribe to that list in order to be
- allowed to mail to it; see the WinPcap support page for information on
- the mailing list.) In your mail, please give full details of the
- problem, as described above, and also indicate that the problem occurs
- with WinDump, not just with Wireshark.
-
- Q 8.2: I'm running Wireshark on Windows; why do no network interfaces
- show up in the list of interfaces in the "Interface:" field in the
- dialog box popped up by "Capture->Start"?
-
- A: This is really the same question as a previous one; see the response
- to that question.
-
- Q 8.3: I'm running Wireshark on Windows; why doesn't my serial
- port/ADSL modem/ISDN modem show up in the list of interfaces in the
- "Interface:" field in the dialog box popped up by "Capture->Start"?
-
- A: Internet access on those devices is often done with the
- Point-to-Point (PPP) protocol; WinPcap 2.3 has problems supporting PPP
- WAN interfaces on Windows NT 4.0, Windows 2000, Windows XP, and Windows
- Server 2003, and, to avoid those problems, support for PPP WAN
- interfaces on those versions of Windows has been disabled in WinPcap
- 3.0.
- On Windows 2000, Windows XP, and Windows Server 2003, but not Windows
- NT 4.0 or Windows Vista Beta 1, you should be able to capture on the
- "GenericDialupAdapter" with WinPcap 3.1. (3.1 beta releases called it
- the "NdisWanAdapter"; if you're using a 3.1 beta release, you should
- un-install it and install the final 3.1 release.) See the Wireshark
- Wiki item on PPP capturing for details.
-
- Q 8.4: I'm running Wireshark on Windows NT 4.0/Windows 2000/Windows
- XP/Windows Server 2003; my machine has a PPP (dial-up POTS, ISDN, etc.)
- interface, and it shows up in the "Interface" item in the "Capture
- Options" dialog box. Why can no packets be sent on or received from
- that network while I'm trying to capture traffic on that interface?
-
- A: Some versions of WinPcap have problems with PPP WAN interfaces on
- Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003; one
- symptom that may be seen is that attempts to capture in promiscuous
- mode on the interface cause the interface to be incapable of sending or
- receiving packets. You can disable promiscuous mode using the -p
- command-line flag or the item in the "Capture Preferences" dialog box,
- but this may mean that outgoing packets, or incoming packets, won't be
- seen in the capture.
- On Windows 2000, Windows XP, and Windows Server 2003, but not Windows
- NT 4.0 or Windows Vista Beta 1, you should be able to capture on the
- "GenericDialupAdapter" with WinPcap 3.1. (3.1 beta releases called it
- the "NdisWanAdapter"; if you're using a 3.1 beta release, you should
- un-install it and install the final 3.1 release.) See the Wireshark
- Wiki item on PPP capturing for details.
-
- Q 8.5: I'm running Wireshark on Windows; why am I not seeing any
- traffic being sent by the machine running Wireshark?
-
- A: If you are running some form of VPN client software, it might be
- causing this problem; people have seen this problem when they have
- Check Point's VPN software installed on their machine. If that's the
- cause of the problem, you will have to remove the VPN software in order
- to have Wireshark (or any other application using WinPcap) see outgoing
- packets; unfortunately, neither we nor the WinPcap developers know any
- way to make WinPcap and the VPN software work well together.
- Also, some drivers for Windows (especially some wireless network
- interface drivers) apparently do not, when running in promiscuous mode,
- arrange that outgoing packets are delivered to the software that
- requested that the interface run promiscuously; try turning promiscuous
- mode off.
-
- Q 8.6: When I capture on Windows in promiscuous mode, I can see packets
- other than those sent to or from my machine; however, those packets
- show up with a "Short Frame" indication, unlike packets to or from my
- machine. What should I do to arrange that I see those packets in their
- entirety?
-
- A: In at least some cases, this appears to be the result of PGPnet
- running on the network interface on which you're capturing; turn it off
- on that interface.
-
- Q 8.7: I'm trying to capture 802.11 traffic on Windows; why am I not
- seeing any packets?
-
- A: At least some 802.11 card drivers on Windows appear not to see any
- packets if they're running in promiscuous mode. Try turning promiscuous
- mode off; you'll only be able to see packets sent by and received by
- your machine, not third-party traffic, and it'll look like Ethernet
- traffic and won't include any management or control frames, but that's
- a limitation of the card drivers.
- See MicroLogix's list of cards supported with WinPcap for information
- on support of various adapters and drivers with WinPcap.
-
- Q 8.8: I'm trying to capture 802.11 traffic on Windows; why am I seeing
- packets received by the machine on which I'm capturing traffic, but not
- packets sent by that machine?
-
- A: This appears to be another problem with promiscuous mode; try
- turning it off.
-
- Q 8.9: I'm trying to capture Ethernet VLAN traffic on Windows, and I'm
- capturing on a "raw" Ethernet device rather than a "VLAN interface", so
- that I can see the VLAN headers; why am I seeing packets received by
- the machine on which I'm capturing traffic, but not packets sent by
- that machine?
-
- A: The way the Windows networking code works probably means that
- packets are sent on a "VLAN interface" rather than the "raw" device, so
- packets sent by the machine will only be seen when you capture on the
- "VLAN interface". If so, you will be unable to see outgoing packets
- when capturing on the "raw" device, so you are stuck with a choice
- between seeing VLAN headers and seeing outgoing packets.
-
- 9. Capturing packets on UN*Xes
-
- Q 9.1: I'm running Wireshark on a UNIX-flavored OS; why does some
- network interface on my machine not show up in the list of interfaces
- in the "Interface:" field in the dialog box popped up by
- "Capture->Start", and/or why does Wireshark give me an error if I try
- to capture on that interface?
-
- A: You may need to run Wireshark from an account with sufficient
- privileges to capture packets, such as the super-user account, or may
- need to give your account sufficient privileges to capture packets.
- Only those interfaces that Wireshark can open for capturing show up in
- that list; if you don't have sufficient privileges to capture on any
- interfaces, no interfaces will show up in the list. See the Wireshark
- Wiki item on capture privileges for details on how to give a particular
- account or account group capture privileges on platforms where that can
- be done.
- If you are running Wireshark from an account with sufficient
- privileges, then note that Wireshark relies on the libpcap library, and
- on the facilities that come with the OS on which it's running in order
- to do captures. On some OSes, those facilities aren't present by
- default; see the Wireshark Wiki item on adding capture support for
- details.
- And, even if you're running with an account that has sufficient
- privileges to capture, and capture support is present in your OS, if
- the OS or the libpcap library don't support capturing on a particular
- network interface device or particular types of devices, Wireshark
- won't be able to capture on that device.
- On Solaris, note that libpcap 0.6.2 and earlier didn't support Token
- Ring interfaces; the current version, 0.7.2, does support Token Ring,
- and the current version of Wireshark works with libpcap 0.7.2 and
- later.
- If an interface doesn't show up in the list of interfaces in the
- "Interface:" field, and you know the name of the interface, try
- entering that name in the "Interface:" field and capturing on that
- device.
- If the attempt to capture on it succeeds, the interface is somehow not
- being reported by the mechanism Wireshark uses to get a list of
- interfaces; please report this to wireshark-dev@wireshark.org giving
- full details of the problem, including
- * the operating system you're using, and the version of that
- operating system (for Linux, give both the version number of the
- kernel and the name and version number of the distribution you're
- using);
- * the type of network device you're using.
-
- If you are having trouble capturing on a particular network interface,
- and you've made sure that (on platforms that require it) you've
- arranged that packet capture support is present, as per the above,
- first try capturing on that device with tcpdump.
- If you can capture on the interface with tcpdump, send mail to
- wireshark-users@wireshark.org giving full details of the problem,
- including
- * the operating system you're using, and the version of that
- operating system (for Linux, give both the version number of the
- kernel and the name and version number of the distribution you're
- using);
- * the type of network device you're using;
- * the error message you get from Wireshark.
-
- If you cannot capture on the interface with tcpdump, this is almost
- certainly a problem with one or more of:
- * the operating system you're using;
- * the device driver for the interface you're using;
- * the libpcap library;
-
- so you should report the problem to the company or organization that
- produces the OS (in the case of a Linux distribution, report the
- problem to whoever produces the distribution).
- You may also want to ask the wireshark-users@wireshark.org and the
- tcpdump-workers@tcpdump.org mailing lists to see if anybody happens to
- know about the problem and know a workaround or fix for the problem. In
- your mail, please give full details of the problem, as described above,
- and also indicate that the problem occurs with tcpdump not just with
- Wireshark.
-
- Q 9.2: I'm running Wireshark on a UNIX-flavored OS; why do no network
- interfaces show up in the list of interfaces in the "Interface:" field
- in the dialog box popped up by "Capture->Start"?
-
- A: This is really the same question as the previous one; see the
- response to that question.
-
- Q 9.3: I'm capturing packets on Linux; why do the time stamps have only
- 100ms resolution, rather than 1us resolution?
-
- A: Wireshark gets time stamps from libpcap/WinPcap, and libpcap/WinPcap
- get them from the OS kernel, so Wireshark - and any other program using
- libpcap, such as tcpdump - is at the mercy of the time stamping code in
- the OS for time stamps.
- At least on x86-based machines, Linux can get high-resolution time
- stamps on newer processors with the Time Stamp Counter (TSC) register;
- for example, Intel x86 processors, starting with the Pentium Pro, and
- including all x86 processors since then, have had a TSC, and other
- vendors probably added the TSC at some point to their families of x86
- processors. The Linux kernel must be configured with the CONFIG_X86_TSC
- option enabled in order to use the TSC. Make sure this option is
- enabled in your kernel.
- In addition, some Linux distributions may have bugs in their versions
- of the kernel that cause packets not to be given high-resolution time
- stamps even if the TSC is enabled. See, for example, bug 61111 for Red
- Hat Linux 7.2. If your distribution has a bug such as this, you may
- have to run a standard kernel from kernel.org in order to get
- high-resolution time stamps.
-
- 10. Capturing packets on wireless LANs
-
- Q 10.1: How can I capture raw 802.11 frames, including non-data
- (management, beacon) frames?
-
- A: That depends on the operating system on which you're running, and on
- the 802.11 interface on which you're capturing.
- This would probably require that you capture in promiscuous mode or in
- the mode called "monitor mode" or "RFMON mode". On some platforms, or
- with some cards, this might require that you capture in monitor mode -
- promiscuous mode might not be sufficient. If you want to capture
- traffic on networks other than the one with which you're associated,
- you will have to capture in monitor mode.
- Not all operating systems support capturing non-data packets and, even
- on operating systems that do support it, not all drivers, and thus not
- all interfaces, support it. Even on those that do, monitor mode might
- not be supported by the operating system or by the drivers for all
- interfaces.
- NOTE: an interface running in monitor mode will, on most if not all
- platforms, not be able to act as a regular network interface; putting
- it into monitor mode will, in effect, take your machine off of whatever
- network it's on as long as the interface is in monitor mode, allowing
- it only to passively capture packets.
- This means that you should disable name resolution when capturing in
- monitor mode; otherwise, when Wireshark (or TShark, or tcpdump) tries
- to display IP addresses as host names, it will probably block for a
- long time trying to resolve the name because it will not be able to
- communicate with any DNS or NIS servers.
- See the Wireshark Wiki item on 802.11 capturing for details.
-
- Q 10.2: How do I capture on an 802.11 device in monitor mode?
-
- A: Whether you will be able to capture in monitor mode depends on the
- operating system, adapter, and driver you're using. See the previous
- question for information on monitor mode, including a link to the
- Wireshark Wiki page that gives details on 802.11 capturing.
-
- 11. Viewing traffic
-
- Q 11.1: Why am I seeing lots of packets with incorrect TCP checksums?
-
- A: If the packets that have incorrect TCP checksums are all being sent
- by the machine on which Wireshark is running, this is probably because
- the network interface on which you're capturing does TCP checksum
- offloading. That means that the TCP checksum is added to the packet by
- the network interface, not by the OS's TCP/IP stack; when capturing on
- an interface, packets being sent by the host on which you're capturing
- are directly handed to the capture interface by the OS, which means
- that they are handed to the capture interface without a TCP checksum
- being added to them.
- The only way to prevent this from happening would be to disable TCP
- checksum offloading, but
- 1. that might not even be possible on some OSes;
- 2. that could reduce networking performance significantly.
-
- However, you can disable the check that Wireshark does of the TCP
- checksum, so that it won't report any packets as having TCP checksum
- errors, and so that it won't refuse to do TCP reassembly due to a
- packet having an incorrect TCP checksum. That can be set as an
- Wireshark preference by selecting "Preferences" from the "Edit" menu,
- opening up the "Protocols" list in the left-hand pane of the
- "Preferences" dialog box, selecting "TCP", from that list, turning off
- the "Check the validity of the TCP checksum when possible" option,
- clicking "Save" if you want to save that setting in your preference
- file, and clicking "OK".
- It can also be set on the Wireshark or TShark command line with a -o
- tcp.check_checksum:false command-line flag, or manually set in your
- preferences file by adding a tcp.check_checksum:false line.
-
- Q 11.2: I've just installed Wireshark, and the traffic on my local LAN
- is boring. Where can I find more interesting captures?
-
- A: We have a collection of strange and exotic sample capture files at
- http://wiki.wireshark.org/SampleCaptures
-
- Q 11.3: Why doesn't Wireshark correctly identify RTP packets? It shows
- them only as UDP.
-
- A: Wireshark can identify a UDP datagram as containing a packet of a
- particular protocol running atop UDP only if
- 1. The protocol in question has a particular standard port number, and
- the UDP source or destination port number is that port
- 2. Packets of that protocol can be identified by looking for a
- "signature" of some type in the packet - i.e., some data that, if
- Wireshark finds it in some particular part of a packet, means that
- the packet is almost certainly a packet of that type.
- 3. Some other traffic earlier in the capture indicated that, for
- example, UDP traffic between two particular addresses and ports
- will be RTP traffic.
-
- RTP doesn't have a standard port number, so 1) doesn't work; it
- doesn't, as far as I know, have any "signature", so 2) doesn't work.
- That leaves 3). If there's RTSP traffic that sets up an RTP session,
- then, at least in some cases, the RTSP dissector will set things up so
- that subsequent RTP traffic will be identified. Currently, that's the
- only place we do that; there may be other places.
- However, there will always be places where Wireshark is simply
- incapable of deducing that a given UDP flow is RTP; a mechanism would
- be needed to allow the user to specify that a given conversation should
- be treated as RTP. As of Wireshark 0.8.16, such a mechanism exists; if
- you select a UDP or TCP packet, the right mouse button menu will have a
- "Decode As..." menu item, which will pop up a dialog box letting you
- specify that the source port, the destination port, or both the source
- and destination ports of the packet should be dissected as some
- particular protocol.
-
- Q 11.4: Why doesn't Wireshark show Yahoo Messenger packets in captures
- that contain Yahoo Messenger traffic?
-
- A: Wireshark only recognizes as Yahoo Messenger traffic packets to or
- from TCP port 3050 that begin with "YPNS", "YHOO", or "YMSG". TCP
- segments that start with the middle of a Yahoo Messenger packet that
- takes more than one TCP segment will not be recognized as Yahoo
- Messenger packets (even if the TCP segment also contains the beginning
- of another Yahoo Messenger packet).
-
- 12. Filtering traffic
-
- Q 12.1: I saved a filter and tried to use its name to filter the
- display; why do I get an "Unexpected end of filter string" error?
-
- A: You cannot use the name of a saved display filter as a filter. To
- filter the display, you can enter a display filter expression - not the
- name of a saved display filter - in the "Filter:" box at the bottom of
- the display, and type the key or press the "Apply" button (that does
- not require you to have a saved filter), or, if you want to use a saved
- filter, you can press the "Filter:" button, select the filter in the
- dialog box that pops up, and press the "OK" button.
-
- Q 12.2: How can I search for, or filter, packets that have a particular
- string anywhere in them?
-
- A: If you want to do this when capturing, you can't. That's a feature
- that would be hard to implement in capture filters without changes to
- the capture filter code, which, on many platforms, is in the OS kernel
- and, on other platforms, is in the libpcap library.
- In releases prior to 0.9.14, you also can't search for, or filter,
- packets containing a particular string even after you've captured them.
- In 0.9.14, you can search for, but not filter, packets that have a
- particular string; this has been added to the "Find Frame" dialog
- ("Find Frame" under the "Edit" menu, or control-F).
- In 0.9.15 and later, you can search for those packets using either the
- mechanism introduced in 0.9.14 or using the new "contains" operator in
- filter expressions, which lets you search the entire packet or text
- string or byte string fields in the packet; the "contains" operator can
- also be used in expressions used to filter the display.
-
- Q 12.3: How do I filter a capture to see traffic for virus XXX?
-
- A: For some viruses/worms there might be a capture filter to recognize
- the virus traffic. Check the CaptureFilters page on the Wireshark Wiki
- to see if anybody's added such a filter.
- Note that Wireshark was not designed to be an intrusion detection
- system; you might be able to use it as an IDS, but in most cases
- software designed to be an IDS, such as Snort or Prelude, will probably
- work better.
- The Bleeding Edge of Snort has a collection of signatures for Snort to
- detect various viruses, worms, and the like.
#
# Wireshark configuration files are put in $(pkgdatadir).
#
-pkgdata_DATA = AUTHORS-SHORT COPYING manuf services wireshark.html \
+pkgdata_DATA = AUTHORS-SHORT COPYING FAQ manuf services wireshark.html \
tshark.html wireshark-filter.html capinfos.html editcap.html \
idl2wrs.html mergecap.html text2pcap.html dumpcap.html \
rawshark.html ws.css cfilters colorfilters dfilters smi_modules
SUBDIRS = tools wsutil wiretap doc epan packaging help @wireshark_SUBDIRS@
endif
+FAQ: help/faq.txt help/faq.py
+ (cd help ; \
+ $(MAKE) faq.txt ; \
+ cp faq.txt ../FAQ )
+
wireshark.1: doc/wireshark.pod AUTHORS-SHORT-FORMAT
(cd doc ; \
$(MAKE) ../wireshark.1 )
faq.txt \
overview.txt
-EXTRA_DIST = $(help_DATA) Makefile.nmake
+EXTRA_DIST = $(help_DATA) Makefile.nmake faq.py
-CLEANFILES =
+CLEANFILES = faq.txt
MAINTAINERCLEANFILES = \
Makefile.in
+# Try our best to convert the FAQ to text.
+faq.txt: faq.py
+ elinks -dump -dump-width 72 < $< > $@ || \
+ links -dump -width 72 < $< > $@ || \
+ lynx -dump -width=72 -nolist -stdin -force-html < $< > $@
# faq.py
#
# Routines to assemble a FAQ list for the Wireshark web site.
-# Reduces the amount of HTML and WML formatting that the person
-# who wanted to add to the FAQ has to deal with.
-# It numbers the sections and questions automatically, too.
+# Questions and answer content can be found below. Section and
+# question numbers will be automatically generated.
#
# $Id$
+import sys
import string
class faq_section:
# Print result
-def create_output():
+def create_output(header='', footer=''):
+ print(header)
create_index()
for sec in sections:
sec.print_contents()
+ print(footer)
+
+def main():
+ header = '''\
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html
+ PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+ "DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head>
+ <title>Wireshark FAQ</title>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+</head>
+<body>
+'''
+ footer = '''\
+</body>
+</html>
+'''
+
+ if len(sys.argv) > 1 and sys.argv[1] == '-b': # Only print the document body
+ header = ''
+ footer = ''
+
+ create_output(header, footer)
#################################################################
section("General Questions")
The license under which Wireshark is issued is <a
href="http://www.gnu.org/licenses/gpl.html">the GNU General Public
-License</a>. See <a href="http://www.gnu.org/licenses/gpl-faq.html">the
+License
version 2</a>. See <a href="http://www.gnu.org/licenses/gpl-faq.html">the
GNU GPL FAQ</a> for some more information.
""")
question("""
Why does the linker fail with a number of "Output line too long." messages
-followed by linker errors when I try to buil Wireshark?
+followed by linker errors when I try to build Wireshark?
""")
answer("""
""")
#################################################################
-create_output()
+if __name__ == '__main__':
+ sys.exit(main())
#################################################################
+++ /dev/null
-
- The Wireshark FAQ
-
- Note: This is just an ASCII snapshot of the faq and may not be up to
- date. Please go to http://www.wireshark.org/faq.html for the up
- to date version. The version of this snapshot can be found at
- the end of this document.
-
- INDEX
-
-
- 1. General Questions:
-
- 1.1 What is Wireshark?
-
- 1.2 What's up with the name change? Is Wireshark a fork?
-
- 1.3 Where can I get help?
-
- 1.4 What kind of shark is Wireshark?
-
- 1.5 How is Wireshark pronounced, spelled and capitalized?
-
- 1.6 How much does Wireshark cost?
-
- 1.7 Can I use Wireshark commercially?
-
- 1.8 Can I use Wireshark as part of my commercial product?
-
- 1.9 What protocols are currently supported?
-
- 1.10 Are there any plans to support {your favorite protocol}?
-
- 1.11 Can Wireshark read capture files from {your favorite network
- analyzer}?
-
- 1.12 What devices can Wireshark use to capture packets?
-
- 1.13 Does Wireshark work on Windows Vista?
-
- 2. Downloading Wireshark:
-
- 2.1 Why do I get an error when I try to run the Win32 installer?
-
- 3. Installing Wireshark:
-
- 3.1 I installed the Wireshark RPM (or other package); why did it
- install TShark but not Wireshark?
-
- 4. Building Wireshark:
-
- 4.1 I have libpcap installed; why did the configure script not find
- pcap.h or bpf.h?
-
- 4.2 Why do I get the error
-
- dftest_DEPENDENCIES was already defined in condition TRUE, which
- implies condition HAVE_PLUGINS_TRUE
-
- when I try to build Wireshark from SVN or a SVN snapshot?
-
- 4.3 Why does the linker fail with a number of "Output line too long."
- messages followed by linker errors when I try to build Wireshark?
-
- 4.4 When I try to build Wireshark on Solaris, why does the link fail
- complaining that plugin_list is undefined?
-
- 4.5 When I try to build Wireshark on Windows, why does the build fail
- because of conflicts between winsock.h and winsock2.h?
-
- 5. Starting Wireshark:
-
- 5.1 Why does Wireshark crash with a Bus Error when I try to run it on
- Solaris 8?
-
- 5.2 When I run Wireshark on Windows NT, why does it die with a Dr.
- Watson error, reporting an "Integer division by zero" exception, when I
- start it?
-
- 5.3 When I try to run Wireshark, why does it complain about
- sprint_realloc_objid being undefined?
-
- 5.4 I've installed Wireshark from Fink on Mac OS X; why is it very slow
- to start up?
-
- 6. Crashes and other fatal errors:
-
- 6.1 I have an XXX network card on my machine; if I try to capture on
- it, why does my machine crash or reset itself?
-
- 6.2 Why does my machine crash or reset itself when I select "Start"
- from the "Capture" menu or select "Preferences" from the "Edit" menu?
-
- 7. Capturing packets:
-
- 7.1 When I use Wireshark to capture packets, why do I see only packets
- to and from my machine, or not see all the traffic I'm expecting to see
- from or to the machine I'm trying to monitor?
-
- 7.2 When I capture with Wireshark, why can't I see any TCP packets
- other than packets to and from my machine, even though another analyzer
- on the network sees those packets?
-
- 7.3 Why am I only seeing ARP packets when I try to capture traffic?
-
- 7.4 Why am I not seeing any traffic when I try to capture traffic?
-
- 7.5 Can Wireshark capture on (my T1/E1 line, SS7 links, etc.)?
-
- 7.6 How do I put an interface into promiscuous mode?
-
- 7.7 I can set a display filter just fine; why don't capture filters
- work?
-
- 7.8 I'm entering valid capture filters; why do I still get "parse
- error" errors?
-
- 7.9 How can I capture packets with CRC errors?
-
- 7.10 How can I capture entire frames, including the FCS?
-
- 7.11 I'm capturing packets on a machine on a VLAN; why don't the
- packets I'm capturing have VLAN tags?
-
- 7.12 Why does Wireshark hang after I stop a capture?
-
- 8. Capturing packets on Windows:
-
- 8.1 I'm running Wireshark on Windows; why does some network interface
- on my machine not show up in the list of interfaces in the "Interface:"
- field in the dialog box popped up by "Capture->Start", and/or why does
- Wireshark give me an error if I try to capture on that interface?
-
- 8.2 I'm running Wireshark on Windows; why do no network interfaces show
- up in the list of interfaces in the "Interface:" field in the dialog
- box popped up by "Capture->Start"?
-
- 8.3 I'm running Wireshark on Windows; why doesn't my serial port/ADSL
- modem/ISDN modem show up in the list of interfaces in the "Interface:"
- field in the dialog box popped up by "Capture->Start"?
-
- 8.4 I'm running Wireshark on Windows NT 4.0/Windows 2000/Windows
- XP/Windows Server 2003; my machine has a PPP (dial-up POTS, ISDN, etc.)
- interface, and it shows up in the "Interface" item in the "Capture
- Options" dialog box. Why can no packets be sent on or received from
- that network while I'm trying to capture traffic on that interface?
-
- 8.5 I'm running Wireshark on Windows; why am I not seeing any traffic
- being sent by the machine running Wireshark?
-
- 8.6 When I capture on Windows in promiscuous mode, I can see packets
- other than those sent to or from my machine; however, those packets
- show up with a "Short Frame" indication, unlike packets to or from my
- machine. What should I do to arrange that I see those packets in their
- entirety?
-
- 8.7 I'm trying to capture 802.11 traffic on Windows; why am I not
- seeing any packets?
-
- 8.8 I'm trying to capture 802.11 traffic on Windows; why am I seeing
- packets received by the machine on which I'm capturing traffic, but not
- packets sent by that machine?
-
- 8.9 I'm trying to capture Ethernet VLAN traffic on Windows, and I'm
- capturing on a "raw" Ethernet device rather than a "VLAN interface", so
- that I can see the VLAN headers; why am I seeing packets received by
- the machine on which I'm capturing traffic, but not packets sent by
- that machine?
-
- 9. Capturing packets on UN*Xes:
-
- 9.1 I'm running Wireshark on a UNIX-flavored OS; why does some network
- interface on my machine not show up in the list of interfaces in the
- "Interface:" field in the dialog box popped up by "Capture->Start",
- and/or why does Wireshark give me an error if I try to capture on that
- interface?
-
- 9.2 I'm running Wireshark on a UNIX-flavored OS; why do no network
- interfaces show up in the list of interfaces in the "Interface:" field
- in the dialog box popped up by "Capture->Start"?
-
- 9.3 I'm capturing packets on Linux; why do the time stamps have only
- 100ms resolution, rather than 1us resolution?
-
- 10. Capturing packets on wireless LANs:
-
- 10.1 How can I capture raw 802.11 frames, including non-data
- (management, beacon) frames?
-
- 10.2 How do I capture on an 802.11 device in monitor mode?
-
- 11. Viewing traffic:
-
- 11.1 Why am I seeing lots of packets with incorrect TCP checksums?
-
- 11.2 I've just installed Wireshark, and the traffic on my local LAN is
- boring. Where can I find more interesting captures?
-
- 11.3 Why doesn't Wireshark correctly identify RTP packets? It shows
- them only as UDP.
-
- 11.4 Why doesn't Wireshark show Yahoo Messenger packets in captures
- that contain Yahoo Messenger traffic?
-
- 12. Filtering traffic:
-
- 12.1 I saved a filter and tried to use its name to filter the display;
- why do I get an "Unexpected end of filter string" error?
-
- 12.2 How can I search for, or filter, packets that have a particular
- string anywhere in them?
-
- 12.3 How do I filter a capture to see traffic for virus XXX?
-
- 1. General Questions
-
- Q 1.1: What is Wireshark?
-
- A: Wireshark® is the world's most popular network protocol analyzer. It
- has a rich and powerful feature set and runs on most computing
- platforms including Windows, OS X, Linux, and UNIX. Network
- professionals, security experts, developers, and educators around the
- world use it regularly. It is freely available as open source, and is
- released under the GNU General Public License version 2.
- It is developed and maintained by a global team of protocol experts,
- and it is an example of a disruptive technology.
- Wireshark used to be known as Ethereal®. See the next question for
- details about the name change. If you're still using Ethereal, it is
- strongly recommended that you upgrade to Wireshark.
- For more information, please see the About Wireshark page.
-
- Q 1.2: What's up with the name change? Is Wireshark a fork?
-
- A: In May of 2006, Gerald Combs (the original author of Ethereal) went
- to work for CACE Technologies (best known for WinPcap). Unfortunately,
- he had to leave the Ethereal trademarks behind.
- This left the project in an awkward position. The only reasonable way
- to ensure the continued success of the project was to change the name.
- This is how Wireshark was born.
- Wireshark is almost (but not quite) a fork. Normally a "fork" of an
- open source project results in two names, web sites, development teams,
- support infrastructures, etc. This is the case with Wireshark except
- for one notable exception -- every member of the core development team
- is now working on Wireshark. There has been no active development on
- Ethereal since the name change. Several parts of the Ethereal web site
- (such as the mailing lists, source code repository, and build farm)
- have gone offline.
- More information on the name change can be found here:
- *
- *
- * Many other articles in
-
- Q 1.3: Where can I get help?
-
- A: Community support is available on the wireshark-users mailing list.
- Subscription information and archives for all of Wireshark's mailing
- lists can be found at http://www.wireshark.org/mailman/listinfo. An IRC
- channel dedicated to Wireshark can be found at
- irc://irc.freenode.net/wireshark.
- Self-paced and instructor-led training is available at Wireshark
- University. A certification program will be announced in Q3 2007.
- Commercial support and development services are available from CACE
- Technologies.
-
- Q 1.4: What kind of shark is Wireshark?
-
- A: carcharodon photoshopia.
-
- Q 1.5: How is Wireshark pronounced, spelled and capitalized?
-
- A: Wireshark is pronounced as the word wire followed immediately by the
- word shark. Exact pronunciation and emphasis may vary depending on your
- locale (e.g. Arkansas).
- It's spelled with a capital W, followed by a lower-case ireshark. It is
- not a CamelCase word, i.e., WireShark is incorrect.
-
- Q 1.6: How much does Wireshark cost?
-
- A: Wireshark is "free software"; you can download it without paying any
- license fee. The version of Wireshark you download isn't a "demo"
- version, with limitations not present in a "full" version; it is the
- full version.
- The license under which Wireshark is issued is the GNU General Public
- License. See the GNU GPL FAQ for some more information.
-
- Q 1.7: Can I use Wireshark commercially?
-
- A: Yes, if, for example, you mean "I work for a commercial
- organization; can I use Wireshark to capture and analyze network
- traffic in our company's networks or in our customer's networks?"
- If you mean "Can I use Wireshark as part of my commercial product?",
- see the next entry in the FAQ.
-
- Q 1.8: Can I use Wireshark as part of my commercial product?
-
- A: As noted, Wireshark is licensed under the GNU General Public
- License. The GPL imposes conditions on your use of GPL'ed code in your
- own products; you cannot, for example, make a "derived work" from
- Wireshark, by making modifications to it, and then sell the resulting
- derived work and not allow recipients to give away the resulting work.
- You must also make the changes you've made to the Wireshark source
- available to all recipients of your modified version; those changes
- must also be licensed under the terms of the GPL. See the GPL FAQ for
- more details; in particular, note the answer to the question about
- modifying a GPLed program and selling it commercially, and the question
- about linking GPLed code with other code to make a proprietary program.
- You can combine a GPLed program such as Wireshark and a commercial
- program as long as they communicate "at arm's length", as per this item
- in the GPL FAQ.
-
- Q 1.9: What protocols are currently supported?
-
- A: There are currently hundreds of supported protocols and media.
- Details can be found in the wireshark(1) man page.
-
- Q 1.10: Are there any plans to support {your favorite protocol}?
-
- A: Support for particular protocols is added to Wireshark as a result
- of people contributing that support; no formal plans for adding support
- for particular protocols in particular future releases exist.
-
- Q 1.11: Can Wireshark read capture files from {your favorite network
- analyzer}?
-
- A: Support for particular protocols is added to Wireshark as a result
- of people contributing that support; no formal plans for adding support
- for particular protocols in particular future releases exist.
- If a network analyzer writes out files in a format already supported by
- Wireshark (e.g., in libpcap format), Wireshark may already be able to
- read them, unless the analyzer has added its own proprietary extensions
- to that format.
- If a network analyzer writes out files in its own format, or has added
- proprietary extensions to another format, in order to make Wireshark
- read captures from that network analyzer, we would either have to have
- a specification for the file format, or the extensions, sufficient to
- give us enough information to read the parts of the file relevant to
- Wireshark, or would need at least one capture file in that format AND a
- detailed textual analysis of the packets in that capture file (showing
- packet time stamps, packet lengths, and the top-level packet header) in
- order to reverse-engineer the file format.
- Note that there is no guarantee that we will be able to
- reverse-engineer a capture file format.
-
- Q 1.12: What devices can Wireshark use to capture packets?
-
- A: Wireshark can read live data from Ethernet, Token-Ring, FDDI, serial
- (PPP and SLIP) (if the OS on which it's running allows Wireshark to do
- so), 802.11 wireless LAN (if the OS on which it's running allows
- Wireshark to do so), ATM connections (if the OS on which it's running
- allows Wireshark to do so), and the "any" device supported on Linux by
- recent versions of libpcap.
- See the list of supported capture media on various OSes for details
- (several items in there say "Unknown", which doesn't mean "Wireshark
- can't capture on them", it means "we don't know whether it can capture
- on them"; we expect that it will be able to capture on many of them,
- but we haven't tried it ourselves - if you try one of those types and
- it works, please update the wiki page accordingly.
- It can also read a variety of capture file formats, including:
- * AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp/Packet
- Grabber captures
- * AIX's iptrace captures
- * Accellent's 5Views LAN agent output
- * Cinco Networks NetXRay captures
- * Cisco Secure Intrusion Detection System IPLog output
- * CoSine L2 debug output
- * DBS Etherwatch VMS text output
- * Endace Measurement Systems' ERF format captures
- * EyeSDN USB S0 traces
- * HP-UX nettl captures
- * ISDN4BSD project i4btrace captures
- * Linux Bluez Bluetooth stack hcidump -w traces
- * Lucent/Ascend router debug output
- * Microsoft Network Monitor captures
- * Network Associates Windows-based Sniffer captures
- * Network General/Network Associates DOS-based Sniffer (compressed or
- uncompressed) captures
- * Network Instruments Observer version 9 captures
- * Novell LANalyzer captures
- * RADCOM's WAN/LAN analyzer captures
- * Shomiti/Finisar Surveyor captures
- * Toshiba's ISDN routers dump output
- * VMS TCPIPtrace/TCPtrace/UCX$TRACE output
- * Visual Networks' Visual UpTime traffic capture
- * libpcap, tcpdump and various other tools using tcpdump's capture
- format
- * snoop and atmsnoop output
-
- so that it can read traces from various network types, as captured by
- other applications or equipment, even if it cannot itself capture on
- those network types.
-
- Q 1.13: Does Wireshark work on Windows Vista?
-
- A: Yes, but if you want to capture packets, you must make sure npf.sys
- is loaded. You can do this by selecting Start WinPcap service "NPF" at
- startup in the installer or by running sc config npf start= auto as
- Administrator from the command line. You can also run Wireshark as
- Administrator, but this is discouraged. See the CaputrePrivileges page
- on the wiki for more details.
-
- 2. Downloading Wireshark
-
- Q 2.1: Why do I get an error when I try to run the Win32 installer?
-
- A: The program you used to download it may have downloaded it
- incorrectly. Web browsers and download accelerators sometimes may do
- this.
- Try downloading it with, for example:
- * Wget, for which Windows binaries are available from Christopher
- Lewis or wGetGUI, which offers a GUI interface that uses wget;
- * WS_FTP from Ipswitch,
- * the ftp command that comes with Windows.
-
- If you use the ftp command, make sure you do the transfer in binary
- mode rather than ASCII mode, by using the binary command before
- transferring the file.
-
- 3. Installing Wireshark
-
- Q 3.1: I installed the Wireshark RPM (or other package); why did it
- install TShark but not Wireshark?
-
- A: Many distributions have separate Wireshark packages, one for non-GUI
- components such as TShark, editcap, dumpcap, etc. and one for the GUI.
- If this is the case on your system, there's probably a separate package
- named wireshark-gnome or wireshark-gtk+. Find it and install it.
-
- 4. Building Wireshark
-
- Q 4.1: I have libpcap installed; why did the configure script not find
- pcap.h or bpf.h?
-
- A: Are you sure pcap.h and bpf.h are installed? The official
- distribution of libpcap only installs the libpcap.a library file when
- "make install" is run. To install pcap.h and bpf.h, you must run "make
- install-incl". If you're running Debian or Redhat, make sure you have
- the "libpcap-dev" or "libpcap-devel" packages installed.
- It's also possible that pcap.h and bpf.h have been installed in a
- strange location. If this is the case, you may have to tweak
- aclocal.m4.
-
- Q 4.2: Why do I get the error
-
- dftest_DEPENDENCIES was already defined in condition TRUE, which
- implies condition HAVE_PLUGINS_TRUE
-
- when I try to build Wireshark from SVN or a SVN snapshot?
-
- A: You probably have automake 1.5 installed on your machine (the
- command automake --version will report the version of automake on your
- machine). There is a bug in that version of automake that causes this
- problem; upgrade to a later version of automake (1.6 or later).
-
- Q 4.3: Why does the linker fail with a number of "Output line too
- long." messages followed by linker errors when I try to buil Wireshark?
-
- A: The version of the sed command on your system is incapable of
- handling very long lines. On Solaris, for example, /usr/bin/sed has a
- line length limit too low to allow libtool to work; /usr/xpg4/bin/sed
- can handle it, as can GNU sed if you have it installed.
- On Solaris, changing your command search path to search /usr/xpg4/bin
- before /usr/bin should make the problem go away; on any platform on
- which you have this problem, installing GNU sed and changing your
- command path to search the directory in which it is installed before
- searching the directory with the version of sed that came with the OS
- should make the problem go away.
-
- Q 4.4: When I try to build Wireshark on Solaris, why does the link fail
- complaining that plugin_list is undefined?
-
- A: This appears to be due to a problem with some versions of the GTK+
- and GLib packages from www.sunfreeware.org; un-install those packages,
- and try getting the 1.2.10 versions from that site, or the versions
- from The Written Word, or the versions from Sun's GNOME distribution,
- or the versions from the supplemental software CD that comes with the
- Solaris media kit, or build them from source from the GTK Web site.
- Then re-run the configuration script, and try rebuilding Wireshark. (If
- you get the 1.2.10 versions from www.sunfreeware.org, and the problem
- persists, un-install them and try installing one of the other versions
- mentioned.)
-
- Q 4.5: When I try to build Wireshark on Windows, why does the build
- fail because of conflicts between winsock.h and winsock2.h?
-
- A: As of Wireshark 0.9.5, you must install WinPcap 2.3 or later, and
- the corresponding version of the developer's pack, in order to be able
- to compile Wireshark; it will not compile with older versions of the
- developer's pack. The symptoms of this failure are conflicts between
- definitions in winsock.h and in winsock2.h; Wireshark uses winsock2.h,
- but pre-2.3 versions of the WinPcap developer's packet use winsock.h.
- (2.3 uses winsock2.h, so if Wireshark were to use winsock.h, it would
- not be able to build with current versions of the WinPcap developer's
- pack.)
- Note that the installed version of the developer's pack should be the
- same version as the version of WinPcap you have installed.
-
- 5. Starting Wireshark
-
- Q 5.1: Why does Wireshark crash with a Bus Error when I try to run it
- on Solaris 8?
-
- A: Some versions of the GTK+ library from www.sunfreeware.org appear to
- be buggy, causing Wireshark to drop core with a Bus Error. Un-install
- those packages, and try getting the 1.2.10 version from that site, or
- the version from The Written Word, or the version from Sun's GNOME
- distribution, or the version from the supplemental software CD that
- comes with the Solaris media kit, or build it from source from the GTK
- Web site. Update the GLib library to the 1.2.10 version, from the same
- source, as well. (If you get the 1.2.10 versions from
- www.sunfreeware.org, and the problem persists, un-install them and try
- installing one of the other versions mentioned.)
- Similar problems may exist with older versions of GTK+ for earlier
- versions of Solaris.
-
- Q 5.2: When I run Wireshark on Windows NT, why does it die with a Dr.
- Watson error, reporting an "Integer division by zero" exception, when I
- start it?
-
- A: In at least some case, this appears to be due to using the default
- VGA driver; if that's not the correct driver for your video card, try
- running the correct driver for your video card.
-
- Q 5.3: When I try to run Wireshark, why does it complain about
- sprint_realloc_objid being undefined?
-
- A: Wireshark can only be linked with version 4.2.2 or later of UCD
- SNMP. Your version of Wireshark was dynamically linked with such a
- version of UCD SNMP; however, you have an older version of UCD SNMP
- installed, which means that when Wireshark is run, it tries to link to
- the older version, and fails. You will have to replace that version of
- UCD SNMP with version 4.2.2 or a later version.
-
- Q 5.4: I've installed Wireshark from Fink on Mac OS X; why is it very
- slow to start up?
-
- A: When an application is installed on OS X, prior to 10.4, it is
- usually "prebound" to speed up launching the application. (That's what
- the "Optimizing" phase of installation is.)
- Fink normally performs prebinding automatically when you install a
- package. However, in some rare cases, for whatever reason the
- prebinding caches get corrupt, and then not only does prebinding fail,
- but startup actually becomes much slower, because the system tries in
- vain to perform prebinding "on the fly" as you launch the application.
- This fails, causing sometimes huge delays.
- To fix the prebinding caches, run the command
- sudo /sw/var/lib/fink/prebound/update-package-prebinding.pl -f
-
- 6. Crashes and other fatal errors
-
- Q 6.1: I have an XXX network card on my machine; if I try to capture on
- it, why does my machine crash or reset itself?
-
- A: This is almost certainly a problem with one or more of:
- * the operating system you're using;
- * the device driver for the interface you're using;
- * the libpcap/WinPcap library and, if this is Windows, the WinPcap
- device driver;
-
- so:
- * if you are using Windows, see the WinPcap support page - check the
- "Submitting bugs" section;
- * if you are using some Linux distribution, some version of BSD, or
- some other UNIX-flavored OS, you should report the problem to the
- company or organization that produces the OS (in the case of a
- Linux distribution, report the problem to whoever produces the
- distribution).
-
- Q 6.2: Why does my machine crash or reset itself when I select "Start"
- from the "Capture" menu or select "Preferences" from the "Edit" menu?
-
- A: Both of those operations cause Wireshark to try to build a list of
- the interfaces that it can open; it does so by getting a list of
- interfaces and trying to open them. There is probably an OS, driver,
- or, for Windows, WinPcap bug that causes the system to crash when this
- happens; see the previous question.
-
- 7. Capturing packets
-
- Q 7.1: When I use Wireshark to capture packets, why do I see only
- packets to and from my machine, or not see all the traffic I'm
- expecting to see from or to the machine I'm trying to monitor?
-
- A: This might be because the interface on which you're capturing is
- plugged into an Ethernet or Token Ring switch; on a switched network,
- unicast traffic between two ports will not necessarily appear on other
- ports - only broadcast and multicast traffic will be sent to all ports.
- Note that even if your machine is plugged into a hub, the "hub" may be
- a switched hub, in which case you're still on a switched network.
- Note also that on the Linksys Web site, they say that their
- auto-sensing hubs "broadcast the 10Mb packets to the port that operate
- at 10Mb only and broadcast the 100Mb packets to the ports that operate
- at 100Mb only", which would indicate that if you sniff on a 10Mb port,
- you will not see traffic coming sent to a 100Mb port, and vice versa.
- This problem has also been reported for Netgear dual-speed hubs, and
- may exist for other "auto-sensing" or "dual-speed" hubs.
- Some switches have the ability to replicate all traffic on all ports to
- a single port so that you can plug your analyzer into that single port
- to sniff all traffic. You would have to check the documentation for the
- switch to see if this is possible and, if so, to see how to do this.
- See the switch reference page on the Wireshark Wiki for information on
- some switches. (Note that it's a Wiki, so you can update or fix that
- information, or add additional information on those switches or
- information on new switches, yourself.)
- Note also that many firewall/NAT boxes have a switch built into them;
- this includes many of the "cable/DSL router" boxes. If you have a box
- of that sort, that has a switch with some number of Ethernet ports into
- which you plug machines on your network, and another Ethernet port used
- to connect to a cable or DSL modem, you can, at least, sniff traffic
- between the machines on your network and the Internet by plugging the
- Ethernet port on the router going to the modem, the Ethernet port on
- the modem, and the machine on which you're running Wireshark into a hub
- (make sure it's not a switching hub, and that, if it's a dual-speed
- hub, all three of those ports are running at the same speed.
- If your machine is not plugged into a switched network or a dual-speed
- hub, or it is plugged into a switched network but the port is set up to
- have all traffic replicated to it, the problem might be that the
- network interface on which you're capturing doesn't support
- "promiscuous" mode, or because your OS can't put the interface into
- promiscuous mode. Normally, network interfaces supply to the host only:
- * packets sent to one of that host's link-layer addresses;
- * broadcast packets;
- * multicast packets sent to a multicast address that the host has
- configured the interface to accept.
-
- Most network interfaces can also be put in "promiscuous" mode, in which
- they supply to the host all network packets they see. Wireshark will
- try to put the interface on which it's capturing into promiscuous mode
- unless the "Capture packets in promiscuous mode" option is turned off
- in the "Capture Options" dialog box, and TShark will try to put the
- interface on which it's capturing into promiscuous mode unless the -p
- option was specified. However, some network interfaces don't support
- promiscuous mode, and some OSes might not allow interfaces to be put
- into promiscuous mode.
- If the interface is not running in promiscuous mode, it won't see any
- traffic that isn't intended to be seen by your machine. It will see
- broadcast packets, and multicast packets sent to a multicast MAC
- address the interface is set up to receive.
- You should ask the vendor of your network interface whether it supports
- promiscuous mode. If it does, you should ask whoever supplied the
- driver for the interface (the vendor, or the supplier of the OS you're
- running on your machine) whether it supports promiscuous mode with that
- network interface.
- In the case of token ring interfaces, the drivers for some of them, on
- Windows, may require you to enable promiscuous mode in order to capture
- in promiscuous mode. See the Wireshark Wiki item on Token Ring
- capturing for details.
- In the case of wireless LAN interfaces, it appears that, when those
- interfaces are promiscuously sniffing, they're running in a
- significantly different mode from the mode that they run in when
- they're just acting as network interfaces (to the extent that it would
- be a significant effor for those drivers to support for promiscuously
- sniffing and acting as regular network interfaces at the same time), so
- it may be that Windows drivers for those interfaces don't support
- promiscuous mode.
-
- Q 7.2: When I capture with Wireshark, why can't I see any TCP packets
- other than packets to and from my machine, even though another analyzer
- on the network sees those packets?
-
- A: You're probably not seeing any packets other than unicast packets to
- or from your machine, and broadcast and multicast packets; a switch
- will normally send to a port only unicast traffic sent to the MAC
- address for the interface on that port, and broadcast and multicast
- traffic - it won't send to that port unicast traffic sent to a MAC
- address for some other interface - and a network interface not in
- promiscuous mode will receive only unicast traffic sent to the MAC
- address for that interface, broadcast traffic, and multicast traffic
- sent to a multicast MAC address the interface is set up to receive.
- TCP doesn't use broadcast or multicast, so you will only see your own
- TCP traffic, but UDP services may use broadcast or multicast so you'll
- see some UDP traffic - however, this is not a problem with TCP traffic,
- it's a problem with unicast traffic, as you also won't see all UDP
- traffic between other machines.
- I.e., this is probably the same question as this earlier one; see the
- response to that question.
-
- Q 7.3: Why am I only seeing ARP packets when I try to capture traffic?
-
- A: You're probably on a switched network, and running Wireshark on a
- machine that's not sending traffic to the switch and not being sent any
- traffic from other machines on the switch. ARP packets are often
- broadcast packets, which are sent to all switch ports.
- I.e., this is probably the same question as this earlier one; see the
- response to that question.
-
- Q 7.4: Why am I not seeing any traffic when I try to capture traffic?
-
- A: Is the machine running Wireshark sending out any traffic on the
- network interface on which you're capturing, or receiving any traffic
- on that network, or is there any broadcast traffic on the network or
- multicast traffic to a multicast group to which the machine running
- Wireshark belongs?
- If not, this may just be a problem with promiscuous sniffing, either
- due to running on a switched network or a dual-speed hub, or due to
- problems with the interface not supporting promiscuous mode; see the
- response to this earlier question.
- Otherwise, on Windows, see the response to this question and, on a
- UNIX-flavored OS, see the response to this question.
-
- Q 7.5: Can Wireshark capture on (my T1/E1 line, SS7 links, etc.)?
-
- A: Wireshark can only capture on devices supported by libpcap/WinPcap.
- On most OSes, only devices that can act as network interfaces of the
- type that support IP are supported as capture devices for
- libpcap/WinPcap, although the device doesn't necessarily have to be
- running as an IP interface in order to support traffic capture.
- On Linux and FreeBSD, libpcap 0.8 and later support the API for Endace
- Measurement Systems' DAG cards, so that a system with one of those
- cards, and its driver and libraries, installed can capture traffic with
- those cards with libpcap-based applications. You would either have to
- have a version of Wireshark built with that version of libpcap, or a
- dynamically-linked version of Wireshark and a shared libpcap library
- with DAG support, in order to do so with Wireshark. You should ask
- Endace whether that could be used to capture traffic on, for example,
- your T1/E1 link.
- See the SS7 capture setup page on the Wireshark Wiki for current
- information on capturing SS7 traffic on TDM links.
-
- Q 7.6: How do I put an interface into promiscuous mode?
-
- A: By not disabling promiscuous mode when running Wireshark or TShark.
- Note, however, that:
- * the form of promiscuous mode that libpcap (the library that
- programs such as tcpdump, Wireshark, etc. use to do packet capture)
- turns on will not necessarily be shown if you run ifconfig on the
- interface on a UNIX system;
- * some network interfaces might not support promiscuous mode, and
- some drivers might not allow promiscuous mode to be turned on - see
- this earlier question for more information on that;
- * the fact that you're not seeing any traffic, or are only seeing
- broadcast traffic, or aren't seeing any non-broadcast traffic other
- than traffic to or from the machine running Wireshark, does not
- mean that promiscuous mode isn't on - see this earlier question for
- more information on that.
-
- I.e., this is probably the same question as this earlier one; see the
- response to that question.
-
- Q 7.7: I can set a display filter just fine; why don't capture filters
- work?
-
- A: Capture filters currently use a different syntax than display
- filters. Here's the corresponding section from the wireshark(1) man
- page:
- "Display filters in Wireshark are very powerful; more fields are
- filterable in Wireshark than in other protocol analyzers, and the
- syntax you can use to create your filters is richer. As Wireshark
- progresses, expect more and more protocol fields to be allowed in
- display filters.
- Packet capturing is performed with the pcap library. The capture filter
- syntax follows the rules of the pcap library. This syntax is different
- from the display filter syntax."
- The capture filter syntax used by libpcap can be found in the
- tcpdump(8) man page.
-
- Q 7.8: I'm entering valid capture filters; why do I still get "parse
- error" errors?
-
- A: There is a bug in some versions of libpcap/WinPcap that cause it to
- report parse errors even for valid expressions if a previous filter
- expression was invalid and got a parse error.
- Try exiting and restarting Wireshark; if you are using a version of
- libpcap/WinPcap with this bug, this will "erase" its memory of the
- previous parse error. If the capture filter that got the "parse error"
- now works, the earlier error with that filter was probably due to this
- bug.
- The bug was fixed in libpcap 0.6; 0.4[.x] and 0.5[.x] versions of
- libpcap have this bug, but 0.6[.x] and later versions don't.
- Versions of WinPcap prior to 2.3 are based on pre-0.6 versions of
- libpcap, and have this bug; WinPcap 2.3 is based on libpcap 0.6.2, and
- doesn't have this bug.
- If you are running Wireshark on a UNIX-flavored platform, run
- "wireshark -v", or select "About Wireshark..." from the "Help" menu in
- Wireshark, to see what version of libpcap it's using. If it's not 0.6
- or later, you will need either to upgrade your OS to get a later
- version of libpcap, or will need to build and install a later version
- of libpcap from the tcpdump.org Web site and then recompile Wireshark
- from source with that later version of libpcap.
- If you are running Wireshark on Windows with a pre-2.3 version of
- WinPcap, you will need to un-install WinPcap and then download and
- install WinPcap 2.3.
-
- Q 7.9: How can I capture packets with CRC errors?
-
- A: Wireshark can capture only the packets that the packet capture
- library - libpcap on UNIX-flavored OSes, and the WinPcap port to
- Windows of libpcap on Windows - can capture, and libpcap/WinPcap can
- capture only the packets that the OS's raw packet capture mechanism (or
- the WinPcap driver, and the underlying OS networking code and network
- interface drivers, on Windows) will allow it to capture.
- Unless the OS always supplies packets with errors such as invalid CRCs
- to the raw packet capture mechanism, or can be configured to do so,
- invalid CRCs to the raw packet capture mechanism, Wireshark - and other
- programs that capture raw packets, such as tcpdump - cannot capture
- those packets. You will have to determine whether your OS needs to be
- so configured and, if so, can be so configured, configure it if
- necessary and possible, and make whatever changes to libpcap and the
- packet capture program you're using are necessary, if any, to support
- capturing those packets.
- Most OSes probably do not support capturing packets with invalid CRCs
- on Ethernet, and probably do not support it on most other link-layer
- types. Some drivers on some OSes do support it, such as some Ethernet
- drivers on FreeBSD; in those OSes, you might always get those packets,
- or you might only get them if you capture in promiscuous mode (you'd
- have to determine which is the case).
- Note that libpcap does not currently supply to programs that use it an
- indication of whether the packet's CRC was invalid (because the drivers
- themselves do not supply that information to the raw packet capture
- mechanism); therefore, Wireshark will not indicate which packets had
- CRC errors unless the FCS was captured (see the next question) and
- you're using Wireshark 0.9.15 and later, in which case Wireshark will
- check the CRC and indicate whether it's correct or not.
-
- Q 7.10: How can I capture entire frames, including the FCS?
-
- A: Wireshark can only capture data that the packet capture library -
- libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of
- libpcap on Windows - can capture, and libpcap/WinPcap can capture only
- the data that the OS's raw packet capture mechanism (or the WinPcap
- driver, and the underlying OS networking code and network interface
- drivers, on Windows) will allow it to capture.
- For any particular link-layer network type, unless the OS supplies the
- FCS of a frame as part of the frame, or can be configured to do so,
- Wireshark - and other programs that capture raw packets, such as
- tcpdump - cannot capture the FCS of a frame. You will have to determine
- whether your OS needs to be so configured and, if so, can be so
- configured, configure it if necessary and possible, and make whatever
- changes to libpcap and the packet capture program you're using are
- necessary, if any, to support capturing the FCS of a frame.
- Most OSes do not support capturing the FCS of a frame on Ethernet, and
- probably do not support it on most other link-layer types. Some drivres
- on some OSes do support it, such as some (all?) Ethernet drivers on
- NetBSD and possibly the driver for Apple's gigabit Ethernet interface
- in Mac OS X; in those OSes, you might always get the FCS, or you might
- only get the FCS if you capture in promiscuous mode (you'd have to
- determine which is the case).
- Versions of Wireshark prior to 0.9.15 will not treat an Ethernet FCS in
- a captured packet as an FCS. 0.9.15 and later will attempt to determine
- whether there's an FCS at the end of the frame and, if it thinks there
- is, will display it as such, and will check whether it's the correct
- CRC-32 value or not.
-
- Q 7.11: I'm capturing packets on a machine on a VLAN; why don't the
- packets I'm capturing have VLAN tags?
-
- A: You might be capturing on what might be called a "VLAN interface" -
- the way a particular OS makes VLANs plug into the networking stack
- might, for example, be to have a network device object for the physical
- interface, which takes VLAN packets, strips off the VLAN header and
- constructs an Ethernet header, and passes that packet to an internal
- network device object for the VLAN, which then passes the packets onto
- various higher-level protocol implementations.
- In order to see the raw Ethernet packets, rather than "de-VLANized"
- packets, you would have to capture not on the virtual interface for the
- VLAN, but on the interface corresponding to the physical network
- device, if possible. See the Wireshark Wiki item on VLAN capturing for
- details.
-
- Q 7.12: Why does Wireshark hang after I stop a capture?
-
- A: The most likely reason for this is that Wireshark is trying to look
- up an IP address in the capture to convert it to a name (so that, for
- example, it can display the name in the source address or destination
- address columns), and that lookup process is taking a very long time.
- Wireshark calls a routine in the OS of the machine on which it's
- running to convert of IP addresses to the corresponding names. That
- routine probably does one or more of:
- * a search of a system file listing IP addresses and names;
- * a lookup using DNS;
- * on UNIX systems, a lookup using NIS;
- * on Windows systems, a NetBIOS-over-TCP query.
-
- If a DNS server that's used in an address lookup is not responding, the
- lookup will fail, but will only fail after a timeout while the system
- routine waits for a reply.
- In addition, on Windows systems, if the DNS lookup of the address
- fails, either because the server isn't responding or because there are
- no records in the DNS that could be used to map the address to a name,
- a NetBIOS-over-TCP query will be made. That query involves sending a
- message to the NetBIOS-over-TCP name service on that machine, asking
- for the name and other information about the machine. If the machine
- isn't running software that responds to those queries - for example,
- many non-Windows machines wouldn't be running that software - the
- lookup will only fail after a timeout. Those timeouts can cause the
- lookup to take a long time.
- If you disable network address-to-name translation - for example, by
- turning off the "Enable network name resolution" option in the "Capture
- Options" dialog box for starting a network capture - the lookups of the
- address won't be done, which may speed up the process of reading the
- capture file after the capture is stopped. You can make that setting
- the default by selecting "Preferences" from the "Edit" menu, turning
- off the "Enable network name resolution" option in the "Name
- resolution" options in the preferences disalog box, and using the
- "Save" button in that dialog box; note that this will save all your
- current preference settings.
- If Wireshark hangs when reading a capture even with network name
- resolution turned off, there might, for example, be a bug in one of
- Wireshark's dissectors for a protocol causing it to loop infinitely. If
- you're not running the most recent release of Wireshark, you should
- first upgrade to that release, as, if there's a bug of that sort, it
- might've been fixed in a release after the one you're running. If the
- hang occurs in the most recent release of Wireshark, the bug should be
- reported to the Wireshark developers' mailing list at
- wireshark-dev@wireshark.org.
- On UNIX-flavored OSes, please try to force Wireshark to dump core, by
- sending it a SIGABRT signal (usually signal 6) with the kill command,
- and then get a stack trace if you have a debugger installed. A stack
- trace can be obtained by using your debugger (gdb in this example), the
- Wireshark binary, and the resulting core file. Here's an example of how
- to use the gdb command backtrace to do so.
- $ gdb wireshark core
- (gdb) backtrace
- ..... prints the stack trace
- (gdb) quit
- $
-
- The core dump file may be named "wireshark.core" rather than "core" on
- some platforms (e.g., BSD systems).
- Also, if at all possible, please send a copy of the capture file that
- caused the problem; when capturing packets, Wireshark normally writes
- captured packets to a temporary file, which will probably be in /tmp or
- /var/tmp on UNIX-flavored OSes, \TEMP on the main system disk (normally
- C:) on Windows 9x/Me/NT 4.0, and \Documents and Settings\your login
- name\Local Settings\Temp on the main system disk on Windows
- 2000/Windows XP/Windows Server 2003, so the capture file will probably
- be there. It will have a name beginning with ether, with some mixture
- of letters and numbers after that. Please don't send a trace file
- greater than 1 MB when compressed; instead, make it available via FTP
- or HTTP, or say it's available but leave it up to a developer to ask
- for it. If the trace file contains sensitive information (e.g.,
- passwords), then please do not send it.
-
- 8. Capturing packets on Windows
-
- Q 8.1: I'm running Wireshark on Windows; why does some network
- interface on my machine not show up in the list of interfaces in the
- "Interface:" field in the dialog box popped up by "Capture->Start",
- and/or why does Wireshark give me an error if I try to capture on that
- interface?
-
- A: If you are running Wireshark on Windows NT 4.0, Windows 2000,
- Windows XP, or Windows Server 2003, and this is the first time you have
- run a WinPcap-based program (such as Wireshark, or TShark, or WinDump,
- or Analyzer, or...) since the machine was rebooted, you need to run
- that program from an account with administrator privileges; once you
- have run such a program, you will not need administrator privileges to
- run any such programs until you reboot.
- If you are running on Windows Windows 2000/Windows XP/Windows Server
- 2003 and have administrator privileges or a WinPcap-based program has
- been run with those privileges since the machine rebooted, this problem
- might clear up if you completely un-install WinPcap and then re-install
- it.
- If that doesn't work, then note that Wireshark relies on the WinPcap
- library, on the WinPcap device driver, and on the facilities that come
- with the OS on which it's running in order to do captures.
- Therefore, if the OS, the WinPcap library, or the WinPcap driver don't
- support capturing on a particular network interface device, Wireshark
- won't be able to capture on that device.
- Note that:
- 1. 2.02 and earlier versions of the WinPcap driver and library that
- Wireshark uses for packet capture didn't support Token Ring
- interfaces; versions 2.1 and later support Token Ring, and the
- current version of Wireshark works with (and, in fact, requires)
- WinPcap 2.1 or later.
- If you are having problems capturing on Token Ring interfaces, and
- you have WinPcap 2.02 or an earlier version of WinPcap installed,
- you should uninstall WinPcap, download and install the current
- version of WinPcap, and then install the latest version of
- Wireshark.
- 2. WinPcap 2.3 has problems supporting PPP WAN interfaces on Windows
- NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, and, to
- avoid those problems, support for PPP WAN interfaces on those
- versions of Windows has been disabled in WinPcap 3.0. Regular
- dial-up lines, ISDN lines, ADSL connections using PPPoE or PPPoA,
- and various other lines such as T1/E1 lines are all PPP interfaces,
- so those interfaces might not show up on the list of interfaces in
- the "Capture Options" dialog on those OSes.
- On Windows 2000, Windows XP, and Windows Server 2003, but not
- Windows NT 4.0 or Windows Vista Beta 1, you should be able to
- capture on the "GenericDialupAdapter" with WinPcap 3.1. (3.1 beta
- releases called it the "NdisWanAdapter"; if you're using a 3.1 beta
- release, you should un-install it and install the final 3.1
- release.) See the Wireshark Wiki item on PPP capturing for details.
- 3. WinPcap prior to 3.0 does not support multiprocessor machines (note
- that machines with a single multi-threaded processor, such as
- Intel's new multi-threaded x86 processors, are multiprocessor
- machines as far as the OS and WinPcap are concerned), and recent
- 2.x versions of WinPcap refuse to operate if they detect that
- they're running on a multiprocessor machine, which means that they
- may not show any network interfaces. You will need to use WinPcap
- 3.0 to capture on a multiprocessor machine.
-
- If an interface doesn't show up in the list of interfaces in the
- "Interface:" field, and you know the name of the interface, try
- entering that name in the "Interface:" field and capturing on that
- device.
- If the attempt to capture on it succeeds, the interface is somehow not
- being reported by the mechanism Wireshark uses to get a list of
- interfaces. Try listing the interfaces with WinDump; see the WinDump
- Web site for information on using WinDump.
- You would run WinDump with the -D flag; if it lists the interface,
- please report this to wireshark-dev@wireshark.org giving full details
- of the problem, including
- * the operating system you're using, and the version of that
- operating system;
- * the type of network device you're using;
- * the output of WinDump.
-
- If WinDump does not list the interface, this is almost certainly a
- problem with one or more of:
- * the operating system you're using;
- * the device driver for the interface you're using;
- * the WinPcap library and/or the WinPcap device driver;
-
- so first check the WinPcap FAQ or the Wiretapped.net mirror of that
- FAQ, to see if your problem is mentioned there. If not, then see the
- WinPcap support page - check the "Submitting bugs" section.
- If you are having trouble capturing on a particular network interface,
- first try capturing on that device with WinDump; see the WinDump Web
- site for information on using WinDump.
- If you can capture on the interface with WinDump, send mail to
- wireshark-users@wireshark.org giving full details of the problem,
- including
- * the operating system you're using, and the version of that
- operating system;
- * the type of network device you're using;
- * the error message you get from Wireshark.
-
- If you cannot capture on the interface with WinDump, this is almost
- certainly a problem with one or more of:
- * the operating system you're using;
- * the device driver for the interface you're using;
- * the WinPcap library and/or the WinPcap device driver;
-
- so first check the WinPcap FAQ or the Wiretapped.net mirror of that
- FAQ, to see if your problem is mentioned there. If not, then see the
- WinPcap support page - check the "Submitting bugs" section.
- You may also want to ask the wireshark-users@wireshark.org and the
- winpcap-users@winpcap.org mailing lists to see if anybody happens to
- know about the problem and know a workaround or fix for the problem.
- (Note that you will have to subscribe to that list in order to be
- allowed to mail to it; see the WinPcap support page for information on
- the mailing list.) In your mail, please give full details of the
- problem, as described above, and also indicate that the problem occurs
- with WinDump, not just with Wireshark.
-
- Q 8.2: I'm running Wireshark on Windows; why do no network interfaces
- show up in the list of interfaces in the "Interface:" field in the
- dialog box popped up by "Capture->Start"?
-
- A: This is really the same question as a previous one; see the response
- to that question.
-
- Q 8.3: I'm running Wireshark on Windows; why doesn't my serial
- port/ADSL modem/ISDN modem show up in the list of interfaces in the
- "Interface:" field in the dialog box popped up by "Capture->Start"?
-
- A: Internet access on those devices is often done with the
- Point-to-Point (PPP) protocol; WinPcap 2.3 has problems supporting PPP
- WAN interfaces on Windows NT 4.0, Windows 2000, Windows XP, and Windows
- Server 2003, and, to avoid those problems, support for PPP WAN
- interfaces on those versions of Windows has been disabled in WinPcap
- 3.0.
- On Windows 2000, Windows XP, and Windows Server 2003, but not Windows
- NT 4.0 or Windows Vista Beta 1, you should be able to capture on the
- "GenericDialupAdapter" with WinPcap 3.1. (3.1 beta releases called it
- the "NdisWanAdapter"; if you're using a 3.1 beta release, you should
- un-install it and install the final 3.1 release.) See the Wireshark
- Wiki item on PPP capturing for details.
-
- Q 8.4: I'm running Wireshark on Windows NT 4.0/Windows 2000/Windows
- XP/Windows Server 2003; my machine has a PPP (dial-up POTS, ISDN, etc.)
- interface, and it shows up in the "Interface" item in the "Capture
- Options" dialog box. Why can no packets be sent on or received from
- that network while I'm trying to capture traffic on that interface?
-
- A: Some versions of WinPcap have problems with PPP WAN interfaces on
- Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003; one
- symptom that may be seen is that attempts to capture in promiscuous
- mode on the interface cause the interface to be incapable of sending or
- receiving packets. You can disable promiscuous mode using the -p
- command-line flag or the item in the "Capture Preferences" dialog box,
- but this may mean that outgoing packets, or incoming packets, won't be
- seen in the capture.
- On Windows 2000, Windows XP, and Windows Server 2003, but not Windows
- NT 4.0 or Windows Vista Beta 1, you should be able to capture on the
- "GenericDialupAdapter" with WinPcap 3.1. (3.1 beta releases called it
- the "NdisWanAdapter"; if you're using a 3.1 beta release, you should
- un-install it and install the final 3.1 release.) See the Wireshark
- Wiki item on PPP capturing for details.
-
- Q 8.5: I'm running Wireshark on Windows; why am I not seeing any
- traffic being sent by the machine running Wireshark?
-
- A: If you are running some form of VPN client software, it might be
- causing this problem; people have seen this problem when they have
- Check Point's VPN software installed on their machine. If that's the
- cause of the problem, you will have to remove the VPN software in order
- to have Wireshark (or any other application using WinPcap) see outgoing
- packets; unfortunately, neither we nor the WinPcap developers know any
- way to make WinPcap and the VPN software work well together.
- Also, some drivers for Windows (especially some wireless network
- interface drivers) apparently do not, when running in promiscuous mode,
- arrange that outgoing packets are delivered to the software that
- requested that the interface run promiscuously; try turning promiscuous
- mode off.
-
- Q 8.6: When I capture on Windows in promiscuous mode, I can see packets
- other than those sent to or from my machine; however, those packets
- show up with a "Short Frame" indication, unlike packets to or from my
- machine. What should I do to arrange that I see those packets in their
- entirety?
-
- A: In at least some cases, this appears to be the result of PGPnet
- running on the network interface on which you're capturing; turn it off
- on that interface.
-
- Q 8.7: I'm trying to capture 802.11 traffic on Windows; why am I not
- seeing any packets?
-
- A: At least some 802.11 card drivers on Windows appear not to see any
- packets if they're running in promiscuous mode. Try turning promiscuous
- mode off; you'll only be able to see packets sent by and received by
- your machine, not third-party traffic, and it'll look like Ethernet
- traffic and won't include any management or control frames, but that's
- a limitation of the card drivers.
- See MicroLogix's list of cards supported with WinPcap for information
- on support of various adapters and drivers with WinPcap.
-
- Q 8.8: I'm trying to capture 802.11 traffic on Windows; why am I seeing
- packets received by the machine on which I'm capturing traffic, but not
- packets sent by that machine?
-
- A: This appears to be another problem with promiscuous mode; try
- turning it off.
-
- Q 8.9: I'm trying to capture Ethernet VLAN traffic on Windows, and I'm
- capturing on a "raw" Ethernet device rather than a "VLAN interface", so
- that I can see the VLAN headers; why am I seeing packets received by
- the machine on which I'm capturing traffic, but not packets sent by
- that machine?
-
- A: The way the Windows networking code works probably means that
- packets are sent on a "VLAN interface" rather than the "raw" device, so
- packets sent by the machine will only be seen when you capture on the
- "VLAN interface". If so, you will be unable to see outgoing packets
- when capturing on the "raw" device, so you are stuck with a choice
- between seeing VLAN headers and seeing outgoing packets.
-
- 9. Capturing packets on UN*Xes
-
- Q 9.1: I'm running Wireshark on a UNIX-flavored OS; why does some
- network interface on my machine not show up in the list of interfaces
- in the "Interface:" field in the dialog box popped up by
- "Capture->Start", and/or why does Wireshark give me an error if I try
- to capture on that interface?
-
- A: You may need to run Wireshark from an account with sufficient
- privileges to capture packets, such as the super-user account, or may
- need to give your account sufficient privileges to capture packets.
- Only those interfaces that Wireshark can open for capturing show up in
- that list; if you don't have sufficient privileges to capture on any
- interfaces, no interfaces will show up in the list. See the Wireshark
- Wiki item on capture privileges for details on how to give a particular
- account or account group capture privileges on platforms where that can
- be done.
- If you are running Wireshark from an account with sufficient
- privileges, then note that Wireshark relies on the libpcap library, and
- on the facilities that come with the OS on which it's running in order
- to do captures. On some OSes, those facilities aren't present by
- default; see the Wireshark Wiki item on adding capture support for
- details.
- And, even if you're running with an account that has sufficient
- privileges to capture, and capture support is present in your OS, if
- the OS or the libpcap library don't support capturing on a particular
- network interface device or particular types of devices, Wireshark
- won't be able to capture on that device.
- On Solaris, note that libpcap 0.6.2 and earlier didn't support Token
- Ring interfaces; the current version, 0.7.2, does support Token Ring,
- and the current version of Wireshark works with libpcap 0.7.2 and
- later.
- If an interface doesn't show up in the list of interfaces in the
- "Interface:" field, and you know the name of the interface, try
- entering that name in the "Interface:" field and capturing on that
- device.
- If the attempt to capture on it succeeds, the interface is somehow not
- being reported by the mechanism Wireshark uses to get a list of
- interfaces; please report this to wireshark-dev@wireshark.org giving
- full details of the problem, including
- * the operating system you're using, and the version of that
- operating system (for Linux, give both the version number of the
- kernel and the name and version number of the distribution you're
- using);
- * the type of network device you're using.
-
- If you are having trouble capturing on a particular network interface,
- and you've made sure that (on platforms that require it) you've
- arranged that packet capture support is present, as per the above,
- first try capturing on that device with tcpdump.
- If you can capture on the interface with tcpdump, send mail to
- wireshark-users@wireshark.org giving full details of the problem,
- including
- * the operating system you're using, and the version of that
- operating system (for Linux, give both the version number of the
- kernel and the name and version number of the distribution you're
- using);
- * the type of network device you're using;
- * the error message you get from Wireshark.
-
- If you cannot capture on the interface with tcpdump, this is almost
- certainly a problem with one or more of:
- * the operating system you're using;
- * the device driver for the interface you're using;
- * the libpcap library;
-
- so you should report the problem to the company or organization that
- produces the OS (in the case of a Linux distribution, report the
- problem to whoever produces the distribution).
- You may also want to ask the wireshark-users@wireshark.org and the
- tcpdump-workers@tcpdump.org mailing lists to see if anybody happens to
- know about the problem and know a workaround or fix for the problem. In
- your mail, please give full details of the problem, as described above,
- and also indicate that the problem occurs with tcpdump not just with
- Wireshark.
-
- Q 9.2: I'm running Wireshark on a UNIX-flavored OS; why do no network
- interfaces show up in the list of interfaces in the "Interface:" field
- in the dialog box popped up by "Capture->Start"?
-
- A: This is really the same question as the previous one; see the
- response to that question.
-
- Q 9.3: I'm capturing packets on Linux; why do the time stamps have only
- 100ms resolution, rather than 1us resolution?
-
- A: Wireshark gets time stamps from libpcap/WinPcap, and libpcap/WinPcap
- get them from the OS kernel, so Wireshark - and any other program using
- libpcap, such as tcpdump - is at the mercy of the time stamping code in
- the OS for time stamps.
- At least on x86-based machines, Linux can get high-resolution time
- stamps on newer processors with the Time Stamp Counter (TSC) register;
- for example, Intel x86 processors, starting with the Pentium Pro, and
- including all x86 processors since then, have had a TSC, and other
- vendors probably added the TSC at some point to their families of x86
- processors. The Linux kernel must be configured with the CONFIG_X86_TSC
- option enabled in order to use the TSC. Make sure this option is
- enabled in your kernel.
- In addition, some Linux distributions may have bugs in their versions
- of the kernel that cause packets not to be given high-resolution time
- stamps even if the TSC is enabled. See, for example, bug 61111 for Red
- Hat Linux 7.2. If your distribution has a bug such as this, you may
- have to run a standard kernel from kernel.org in order to get
- high-resolution time stamps.
-
- 10. Capturing packets on wireless LANs
-
- Q 10.1: How can I capture raw 802.11 frames, including non-data
- (management, beacon) frames?
-
- A: That depends on the operating system on which you're running, and on
- the 802.11 interface on which you're capturing.
- This would probably require that you capture in promiscuous mode or in
- the mode called "monitor mode" or "RFMON mode". On some platforms, or
- with some cards, this might require that you capture in monitor mode -
- promiscuous mode might not be sufficient. If you want to capture
- traffic on networks other than the one with which you're associated,
- you will have to capture in monitor mode.
- Not all operating systems support capturing non-data packets and, even
- on operating systems that do support it, not all drivers, and thus not
- all interfaces, support it. Even on those that do, monitor mode might
- not be supported by the operating system or by the drivers for all
- interfaces.
- NOTE: an interface running in monitor mode will, on most if not all
- platforms, not be able to act as a regular network interface; putting
- it into monitor mode will, in effect, take your machine off of whatever
- network it's on as long as the interface is in monitor mode, allowing
- it only to passively capture packets.
- This means that you should disable name resolution when capturing in
- monitor mode; otherwise, when Wireshark (or TShark, or tcpdump) tries
- to display IP addresses as host names, it will probably block for a
- long time trying to resolve the name because it will not be able to
- communicate with any DNS or NIS servers.
- See the Wireshark Wiki item on 802.11 capturing for details.
-
- Q 10.2: How do I capture on an 802.11 device in monitor mode?
-
- A: Whether you will be able to capture in monitor mode depends on the
- operating system, adapter, and driver you're using. See the previous
- question for information on monitor mode, including a link to the
- Wireshark Wiki page that gives details on 802.11 capturing.
-
- 11. Viewing traffic
-
- Q 11.1: Why am I seeing lots of packets with incorrect TCP checksums?
-
- A: If the packets that have incorrect TCP checksums are all being sent
- by the machine on which Wireshark is running, this is probably because
- the network interface on which you're capturing does TCP checksum
- offloading. That means that the TCP checksum is added to the packet by
- the network interface, not by the OS's TCP/IP stack; when capturing on
- an interface, packets being sent by the host on which you're capturing
- are directly handed to the capture interface by the OS, which means
- that they are handed to the capture interface without a TCP checksum
- being added to them.
- The only way to prevent this from happening would be to disable TCP
- checksum offloading, but
- 1. that might not even be possible on some OSes;
- 2. that could reduce networking performance significantly.
-
- However, you can disable the check that Wireshark does of the TCP
- checksum, so that it won't report any packets as having TCP checksum
- errors, and so that it won't refuse to do TCP reassembly due to a
- packet having an incorrect TCP checksum. That can be set as an
- Wireshark preference by selecting "Preferences" from the "Edit" menu,
- opening up the "Protocols" list in the left-hand pane of the
- "Preferences" dialog box, selecting "TCP", from that list, turning off
- the "Check the validity of the TCP checksum when possible" option,
- clicking "Save" if you want to save that setting in your preference
- file, and clicking "OK".
- It can also be set on the Wireshark or TShark command line with a -o
- tcp.check_checksum:false command-line flag, or manually set in your
- preferences file by adding a tcp.check_checksum:false line.
-
- Q 11.2: I've just installed Wireshark, and the traffic on my local LAN
- is boring. Where can I find more interesting captures?
-
- A: We have a collection of strange and exotic sample capture files at
- http://wiki.wireshark.org/SampleCaptures
-
- Q 11.3: Why doesn't Wireshark correctly identify RTP packets? It shows
- them only as UDP.
-
- A: Wireshark can identify a UDP datagram as containing a packet of a
- particular protocol running atop UDP only if
- 1. The protocol in question has a particular standard port number, and
- the UDP source or destination port number is that port
- 2. Packets of that protocol can be identified by looking for a
- "signature" of some type in the packet - i.e., some data that, if
- Wireshark finds it in some particular part of a packet, means that
- the packet is almost certainly a packet of that type.
- 3. Some other traffic earlier in the capture indicated that, for
- example, UDP traffic between two particular addresses and ports
- will be RTP traffic.
-
- RTP doesn't have a standard port number, so 1) doesn't work; it
- doesn't, as far as I know, have any "signature", so 2) doesn't work.
- That leaves 3). If there's RTSP traffic that sets up an RTP session,
- then, at least in some cases, the RTSP dissector will set things up so
- that subsequent RTP traffic will be identified. Currently, that's the
- only place we do that; there may be other places.
- However, there will always be places where Wireshark is simply
- incapable of deducing that a given UDP flow is RTP; a mechanism would
- be needed to allow the user to specify that a given conversation should
- be treated as RTP. As of Wireshark 0.8.16, such a mechanism exists; if
- you select a UDP or TCP packet, the right mouse button menu will have a
- "Decode As..." menu item, which will pop up a dialog box letting you
- specify that the source port, the destination port, or both the source
- and destination ports of the packet should be dissected as some
- particular protocol.
-
- Q 11.4: Why doesn't Wireshark show Yahoo Messenger packets in captures
- that contain Yahoo Messenger traffic?
-
- A: Wireshark only recognizes as Yahoo Messenger traffic packets to or
- from TCP port 3050 that begin with "YPNS", "YHOO", or "YMSG". TCP
- segments that start with the middle of a Yahoo Messenger packet that
- takes more than one TCP segment will not be recognized as Yahoo
- Messenger packets (even if the TCP segment also contains the beginning
- of another Yahoo Messenger packet).
-
- 12. Filtering traffic
-
- Q 12.1: I saved a filter and tried to use its name to filter the
- display; why do I get an "Unexpected end of filter string" error?
-
- A: You cannot use the name of a saved display filter as a filter. To
- filter the display, you can enter a display filter expression - not the
- name of a saved display filter - in the "Filter:" box at the bottom of
- the display, and type the key or press the "Apply" button (that does
- not require you to have a saved filter), or, if you want to use a saved
- filter, you can press the "Filter:" button, select the filter in the
- dialog box that pops up, and press the "OK" button.
-
- Q 12.2: How can I search for, or filter, packets that have a particular
- string anywhere in them?
-
- A: If you want to do this when capturing, you can't. That's a feature
- that would be hard to implement in capture filters without changes to
- the capture filter code, which, on many platforms, is in the OS kernel
- and, on other platforms, is in the libpcap library.
- In releases prior to 0.9.14, you also can't search for, or filter,
- packets containing a particular string even after you've captured them.
- In 0.9.14, you can search for, but not filter, packets that have a
- particular string; this has been added to the "Find Frame" dialog
- ("Find Frame" under the "Edit" menu, or control-F).
- In 0.9.15 and later, you can search for those packets using either the
- mechanism introduced in 0.9.14 or using the new "contains" operator in
- filter expressions, which lets you search the entire packet or text
- string or byte string fields in the packet; the "contains" operator can
- also be used in expressions used to filter the display.
-
- Q 12.3: How do I filter a capture to see traffic for virus XXX?
-
- A: For some viruses/worms there might be a capture filter to recognize
- the virus traffic. Check the CaptureFilters page on the Wireshark Wiki
- to see if anybody's added such a filter.
- Note that Wireshark was not designed to be an intrusion detection
- system; you might be able to use it as an IDS, but in most cases
- software designed to be an IDS, such as Snort or Prelude, will probably
- work better.
- The Bleeding Edge of Snort has a collection of signatures for Snort to
- detect various viruses, worms, and the like.
+++ /dev/null
-#!/bin/sh
-#
-# $Id$
-#
-# Make-faq - Creates a plain text version of the Wireshark FAQ
-# from http://www.wireshark.org/faq.html
-
-rm -f FAQ
-cat >FAQ <<EOF
-
- The Wireshark FAQ
-
- Note: This is just an ASCII snapshot of the faq and may not be up to
- date. Please go to http://www.wireshark.org/faq.html for the up
- to date version. The version of this snapshot can be found at
- the end of this document.
-
- INDEX
-
-EOF
-
-lynx -dump -nolist "http://www.wireshark.org/faq_plain.html" | \
- sed -e '1,/^ *Index$/d' >>FAQ
-
-echo
-echo "Now verfiy everything is OK and copy FAQ to help/faq.txt"
-echo "To verify run: diff -u help/faq.txt FAQ"
-echo
-
-exit 0
git.samba.org / obnox / wireshark / wip.git / commitdiff